7bc4a0f1e57be920e2dec8d3297e481ded4455ce2a2ee511b646f7dc250a46cf

Analysis

max time kernel
146s
max time network
99s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
Size

151KB
MD5

2ae608629f862ea76773f3dc2ad90721
SHA1

c9d57adeca4e325373d6e684f686b46350ce2c55
SHA256

7bc4a0f1e57be920e2dec8d3297e481ded4455ce2a2ee511b646f7dc250a46cf
SHA512

a470df36ae484ce9024784dcfe82da0648badd853fc31507d4862c0d043494dfedcf87bd0faefae9d604e0c48ba151e74030c91f10355f1cc914fd3178e4ad42
SSDEEP

3072:fnBoB8+uWRGyVvDSnFw/LIxt0cBGHjRAVCXOqfjiNSzgiN+LfOla7NAOtLez:pFLWnV2wTaYjRG7i4f+a7p8

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	xccef090131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\xccinit = "C:\\Windows\\system32\\inf\\rundll33.exe C:\\Windows\\xccdf16_090131a.dll xccd16"	xccef090131.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2736	rundll33.exe
3000	xccef090131.exe
2840	xccef090131.exe

Loads dropped DLL 3 IoCs

pid	Process
2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
3016	cmd.exe
3016	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1292-3-0x0000000000320000-0x0000000000350000-memory.dmp	upx
behavioral1/memory/1292-7-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/files/0x0015000000016ceb-66.dat	upx
behavioral1/memory/3000-80-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\rundll33.exe	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\rundll33.exe	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\xccefb090131.scr	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\xccdfb16_090131.dll	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 2156	1292	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	30
PID 3000 set thread context of 2840	3000	xccef090131.exe	37

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xccwinsys.ini	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\system\xccef090131.exe	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\xccdf32_090131a.dll	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\xccdf16_090131a.dll	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File opened for modification	C:\Windows\xccwinsys.ini	xccef090131.exe
File created	C:\Windows\xccdf32_090131a.dll	xccef090131.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93F2DCF1-3D14-11EF-880F-D61F2295B977} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	xccef090131.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426596276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
2840	xccef090131.exe
2840	xccef090131.exe
2840	xccef090131.exe
2840	xccef090131.exe
2840	xccef090131.exe
2840	xccef090131.exe
2840	xccef090131.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
Token: SeDebugPrivilege	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	xccef090131.exe
Token: SeDebugPrivilege	2840	xccef090131.exe
Token: SeDebugPrivilege	2840	xccef090131.exe
Token: SeDebugPrivilege	2840	xccef090131.exe
Token: SeDebugPrivilege	2840	xccef090131.exe
Token: SeDebugPrivilege	2840	xccef090131.exe
Token: SeDebugPrivilege	2840	xccef090131.exe
Token: SeDebugPrivilege	2840	xccef090131.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1228	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2156	1292	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2156	1292	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2156	1292	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2156	1292	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2156	1292	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2156	1292	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2736	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2736	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2736	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2736	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2692	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	32
PID 2156 wrote to memory of 2692	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	32
PID 2156 wrote to memory of 2692	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	32
PID 2156 wrote to memory of 2692	2156	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	32
PID 2736 wrote to memory of 3016	2736	rundll33.exe	34
PID 2736 wrote to memory of 3016	2736	rundll33.exe	34
PID 2736 wrote to memory of 3016	2736	rundll33.exe	34
PID 2736 wrote to memory of 3016	2736	rundll33.exe	34
PID 3016 wrote to memory of 3000	3016	cmd.exe	36
PID 3016 wrote to memory of 3000	3016	cmd.exe	36
PID 3016 wrote to memory of 3000	3016	cmd.exe	36
PID 3016 wrote to memory of 3000	3016	cmd.exe	36
PID 3000 wrote to memory of 2840	3000	xccef090131.exe	37
PID 3000 wrote to memory of 2840	3000	xccef090131.exe	37
PID 3000 wrote to memory of 2840	3000	xccef090131.exe	37
PID 3000 wrote to memory of 2840	3000	xccef090131.exe	37
PID 3000 wrote to memory of 2840	3000	xccef090131.exe	37
PID 3000 wrote to memory of 2840	3000	xccef090131.exe	37
PID 2840 wrote to memory of 1228	2840	xccef090131.exe	38
PID 2840 wrote to memory of 1228	2840	xccef090131.exe	38
PID 2840 wrote to memory of 1228	2840	xccef090131.exe	38
PID 2840 wrote to memory of 1228	2840	xccef090131.exe	38
PID 1228 wrote to memory of 2652	1228	IEXPLORE.EXE	39
PID 1228 wrote to memory of 2652	1228	IEXPLORE.EXE	39
PID 1228 wrote to memory of 2652	1228	IEXPLORE.EXE	39
PID 1228 wrote to memory of 2652	1228	IEXPLORE.EXE	39
PID 2840 wrote to memory of 1228	2840	xccef090131.exe	38

C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\inf\rundll33.exe
    "C:\Windows\system32\inf\rundll33.exe" C:\Windows\xccdf16_090131a.dll xccd16
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "c:\xcclstecj.bat"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\system\xccef090131.exe
        
        "C:\Windows\system\xccef090131.exe" i
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\system\xccef090131.exe
        
        C:\Windows\system\xccef090131.exe
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1228 CREDAT:275457 /prefetch:2
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
    3⤵
    - Deletes itself
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef8cbf15bf4c43bc34c5946c464cc216

SHA1
22a9c68989367473e195a08971e442f272fb1c24

SHA256
7d691cb15df59757a57c760a1889660aa92894db530e675597121aa93d8cb134

SHA512
f480e32b29c6894db9d3c42861112452bd6a4b449db3c923de12378f421f905b90cfbc138d674bac1e105a319bb328a0f772531bbd3bb9ac2699e2b2235482a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72915b6d76ba52e26e024b3c8d10c900

SHA1
a5e1ac82a3bee0f7049a6f9b1fae3c9fd17acbc2

SHA256
d00009e8c570bc648aa77ed27c492082dcc08dcfe109bd65d02da232c93ecf9c

SHA512
9896db6f73f552b8bb5d8056340ccc1e3249551a059a8d763713e9d03736c4055d16e9bf5a6a10eb465533209d91d91139be15782d85f20c343fc5083bb7fd4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fd3c7bb939698bbbac7116535186635

SHA1
c102173a8565b264c4fedd5b49ea2d5cdab80d9b

SHA256
0a782f2bdf9be6abd7386572be53fe0c5037702699a4d91ebf656ca2b87f352a

SHA512
c04ee9036df19cc7802a66f1b7b5c597deb088c3cac936c275368f5f1fb8965039a3693c76661cd026e541b914dd7eec85f0a8937434d48c9fa295702fa34152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
860fd72ac47da325ccb1c5b2e66fc4c3

SHA1
0447b2b098ec5c8d6fa5d542b4a304fc6d7d2edd

SHA256
8f1caec6b8296dd52b77663e3000e123f1b3a1329d9c6296ec6303e8d6045cef

SHA512
56cdace801cf8b52b3dff17d37a04ef74edce48544ac61236c5a6facdf4e1319bc8690ee2452a76e115555295f980694720c63def284de3f5ed4576277dfdde8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d258ed5c6ff5fcc901e4b31af4113eb

SHA1
f3c37b741feb6898dcd9612a32a1341d69b9f5c4

SHA256
a619498bf41df86c263a8a7f6f6b8eae5a5bca27d3431326c0b7835a2f6892d2

SHA512
8c8eb48c2b0093b54b563ecf120a744d1b5cf7be91716ef221ea745a666ea34ffb372793b617d2c5f0011a9929243e4b24cdc072f91c0d5ce29d48e6d0d057db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8895bb0dfb664371e76c3e8dd73eaac

SHA1
e148a113f53fbb3f6560663b937b2ed05088e5f5

SHA256
9021b6e668a6a538a4361f7ac9b42b49b0eb3d2406086242337030754c9caadd

SHA512
587557edfa86f882d4ced36bbc7bf85d563aa4506d0c4fa3f063cdd04967d9befc0b72284d9692d77b9174f9f8bf22c03363ed2d731d7bcfef73dde5f607ee85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9b4d20871309606c248e31eb24f68d7

SHA1
deaa76307f197e78da4a5825cdc1806db076f482

SHA256
d07d330039766ae7bc7211bc831696cd566142e4e67062e11ba0d2ae6fe7f7ad

SHA512
0554a22df3caed910c9443556e9a43bba3695a91a2f1d6ba3a0becd5b112dcd15932eaab6031b172f6f3eba765abedf19f1c16c59228fe0e71515b152bfa776a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f825cba48ad6bdd8c511d77ed513f41

SHA1
9d82ef7b890e18284254193299095e2ea5d546dd

SHA256
691356ce82189f34d3a48c5d4e7eb13d95ed0cee3779ba43407973fd84efa940

SHA512
1c88a1b46df2efc9f18a8fac4ae98c4b8e6677a12d535f0185a4c6f04ba25ff3164c47e54f1b999dfffec3d39a54b128aa06ec99ed8ae7b5533d155201449faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec2ec17a3ac5de0174c536ffeaac78eb

SHA1
d215d737e9bde48e91366d864bec30cea76ae5a6

SHA256
734b058a4a131a101622aec233abeda40481ae2125506584e112c58448700b0d

SHA512
06c8ff8e3f4390b29a55a688d329113354515db0c2661dd82d50e8efb5436f9b082f93b959b18765ce1b145047528216eb610fdf7cbde0af41becd6da112a5aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2fc849f313e015f30f6a21da9979e95

SHA1
32ea95b0d4bd5424b8befe655c716bf0520472b1

SHA256
63ae11ce490086852488b4ce01b69a9e026df5d63878b809f4f222115631c1c3

SHA512
46c922a6ece8d1db129c9e20e650b2c35dcba6c7fc9cd8a6c646a321917f1b16fb4b7fc28697ff9970f3fb0303e41720b8806fa1c7f38f5e75da7d40b97649c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c7f9dc51f899772cd917c17073ad8f8

SHA1
a8a3abc263f27f718ba4694d5082549026fed8dc

SHA256
f1e29f14c61daa8b8f6e717fc589ea34786e7f2d08f7ffa93f2e0b939848e809

SHA512
5406ec70839cbb1c2150c91918d623bb8772ff4dfd3f9cf19126504857e10845b604a797b10c008c09b1148b782c6b85192e64948ffd235a0ee698aa974c74c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3456be014f06d5b2daa7162b25eafb42

SHA1
bac3ec1a854ffe83a2b0e7feadba54b8890412f1

SHA256
0d4a0b6f869a5e7bb939e26121ad2bab9b26ce9b92ae57e74741d28a274b3d87

SHA512
08a2523c112ff2ce212fe98457c561a64159130e711d54875b5301195b14b134203623895b9daf6d3347a6678faa7cc46f0a85620df5667071f756c18bf6b71d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b5642be0deb6c67be26d41317eb3b2b

SHA1
f96394956b8ff3b912b386f2538c68d998a53c95

SHA256
df2a68f9d846c4eea5ed93a0798e9f3b6e1ed2aa50444475452334a324a8c720

SHA512
1053a9ee37451dc6259bf9c0b94ac3fae5798783c8f6a3bd0c0150c70cfb124fd05c4e7962d3f0fb9e11e3854a2b071989e30bff8ef0efdd3683f207bf2ba988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38092728d51e8745791f8a09ad3ca4ca

SHA1
3957b5347d121cf35352ef09ed6c93c7fb4830cd

SHA256
d88b71dca214300aa88b1769b40d2323dc1a527fb71fe0c8a6c9c403458f3b0f

SHA512
fe4c1cb431ccab1b8cb115e9d71637608a39da7811108c5b6598a979ae5b7b6adfe39e4b2885aeae5d7813a4ca76ca264b37514e5b39b2f30d3aa6faf8312f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aab9019870f2916a495fc82a3539b730

SHA1
911cdd01d54638e45e24c4cd2fa6b4a69dac130d

SHA256
5646601b7f3a55eac86f7c83ee16ee7a0c1467b164f01cbc64f2274dc8204f47

SHA512
22f81b36d435246a97b33a3924485ac0c7182541df24b64377d384d40d4f6ade487dd821efa4ca17d1cac8ade42bfb6c49438846953172f7725999f574ebdc34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acf9b98720629239a6aa2530729895e0

SHA1
852b000adeac8483578c972739f4f6ad7a89175d

SHA256
b7358f03f0be8c47096b2ce31f5a9f3b56a2e1808d0298afcfe30bab0f60d332

SHA512
0b4fbacb2eaec65f99c93df4ba77049ecdbc8fdaedb94bb1f4f8eab36aef177b3fec3c11f626a7f45ad008f1824ff4733ad12ccc31b2682a61828897998360b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf44c61ae2b9b22d5aacb5bb5a5c11e4

SHA1
16efef8280da67360e873db1b9c2052a43897ec1

SHA256
cbf6474202547806f655fdbe391cdcb3165a45d2071b71fa901064d7db612ba7

SHA512
01bc55a0464dc247a05c18be7788fdc58e4590857d820f51e62398839bfb566e7ea4a698bc71e859576f374a78792f8c4e86c5ed515c48e05a6d22754a99ddff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9425070ae1c1a282f0ba1581f302aa4

SHA1
b39b716c27c28ef14c0fd93c5717dad767ed60a2

SHA256
d26aa1d58164e030375b83a10ae25fb1f534caf88d2f5ae3832beaeec4c557de

SHA512
5ccd8d4347ae6fbdfb09d6a064c2c08aaee032b37cca56bed2c06c4134c3a4f33cbe94d0f4cf31e7f7705dda0c784dd5dc9a2fc76b5c150dc4018d8185f61f9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2be0c6ac4ea5630c2decdd1fc89aa33b

SHA1
67d22581c3a072e5727db54644dbae0090024d92

SHA256
a5006b470bbab60e59939e4daddc69dd7aa6fca820615850ace9df1b082ba24a

SHA512
fd553ee45cc12b0fdb5a2fa09f619c5aa74632ce55b49cc1f11b26a431b13eb9e8b856d0fab1d8ac0c3cc3ad1faaf4640d12a2350c118ef7765c081c31aef41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab918.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\inf\rundll33.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\xccdf16_090131a.dll

Filesize
35KB

MD5
5b92b330f4c0041beefa085616115d77

SHA1
9518f3a58c9326973e6cccb53e3f521abdfe55cb

SHA256
f3103d8d33c9187c5e3388d7c16fb16b9bc7d6d2a39269fe7a5a38cdabbc70ec

SHA512
8a1d05573a6aa789a065df954bf3f1a5fbd591ba9226b5906ba4c152c212c5e8be447798da29dfe49179375feca1bef96bf2827728294c40f0a4f23cd8e7e319

Download Submit
C:\Windows\xccdf32_090131a.dll

Filesize
245KB

MD5
f5d65da82d030bfdc74bcc9b5301bb17

SHA1
3c62974c94254694d3ef3e5cc79becbb510ae20a

SHA256
55cf8f2e6cbc27217184fdf54ce4909e01857aa9390e7040cb6453ae3f235c46

SHA512
623a010ed159df0d4f286f1ea57771976cc4b568c288e7d0aa31d8b605383012f559d613293107db88145ed6d31c5585f35d560e6a076abdc39b7150d32cd746

Download Submit
C:\Windows\xccwinsys.ini

Filesize
433B

MD5
2ce220c52d3d10f0445701cbed99e1e8

SHA1
bca9b6023ae8d7c680116e515cad181af8155936

SHA256
e9794fb4934570e12f786ce8622df418889988f140f2f352cfba3514274e9a79

SHA512
0b0a27efa9ae99a32d7110b1d2e2780411b7bdfdb4cce9ef13897c8eb368b12d7e6a4cb0b3769d2563fde0410c901ab167e0e809c359386b5d4aa1b04182f3ab

Download Submit
C:\Windows\xccwinsys.ini

Filesize
61B

MD5
e0ffcda774ceaf4f17db26b0f351267c

SHA1
7257007e83a45f969e7c5b5488ad4e0daea7d4b6

SHA256
9fd82b6a1f43a514d84cebd1caf41c275dd3930ef888917c5e7d541476538313

SHA512
2361ace552945547aef151b44dedd582f7c694da01490faa767ae1223846398e3bd9f431ac294e05f2d26df6a79fe9d4b91d291118679aa14ab8915dc9538f41

Download Submit
C:\Windows\xccwinsys.ini

Filesize
106B

MD5
9248c07dbe19f6ba0d838bb72b038e20

SHA1
44d44f7e68403f6777898a1caba33e2c24bdaa35

SHA256
42c4147f23278b2dc326dc13274ad99d99704c7a832f4dd12e7eb4b44a1f1617

SHA512
f18c54f969a86eb30f4cebbb7458d6c1f11fd5d4d15fdb18b5eb8185c95a4eeaca829bf6cb7eb2fac0492752b04394857d0379fa86cd70dd54b88f3e9d05e5de

Download Submit
C:\Windows\xccwinsys.ini

Filesize
324B

MD5
5425ec8aa7048a49d048109220228328

SHA1
0755821bfb61de303192079f6dcc7691c8523a40

SHA256
6177b7b326dedc6500afc97ee4741267db3aee86bd4e0190aa176ff4158c1016

SHA512
54b2293d61399c9274b4aaba3a5599045cc303a22821807693166567403c5169ee66115d25dc8ea7b209daa8926a95bbd1b3108e9b82ec2748f4bbbc5f77c342

Download Submit
C:\Windows\xccwinsys.ini

Filesize
351B

MD5
9ca65ea28b26551ea111ced0a12c3c8a

SHA1
19e54d74a9f12e8b44e83fdca919027a6e11469d

SHA256
a4562466946d140102aa2b479c90c684e3ba30b23a8c68990fd654d727c94b02

SHA512
75c328b7f2a10ae27b921d0a97d7c9ad1b5347a361d550b8b79df57a61a36372628d0fab4f8466003cec6ea858856af5eace77ecf60a37d3ee23fb2ab83bdcdf

Download Submit
C:\Windows\xccwinsys.ini

Filesize
400B

MD5
e18118bb842592c56949bada4f89ec39

SHA1
01ea21ae036984b16302cc5999e1bee7735950cc

SHA256
bdd1dece61ea2f3ac6cfc74a9e0ab0683e50a05f4da259e8d930ebbcba50e945

SHA512
827f04d136c76fd113790a5ae6aa4a9ce32d3bf2114966074210e0e51efa3e3a850220caa5811cf5c9a3234cc124ecd8778db11da859d719a2e593987c0dbf51

Download Submit
C:\Windows\xccwinsys.ini

Filesize
460B

MD5
eabce2909d8a58ce8d4561596489d218

SHA1
3c3d530157d317ca43405a0f748ef3a56859ba69

SHA256
26e078248dcf0f345de6d5994bed3262f60a82b1d43d977b1f84a84edf41f288

SHA512
22c7d5846f16f1ce7db9651045bba48aba0b8139ffff163610c8ad03958ad1f188dd45f1edd0a030c7eba819283d721e4ef73d2a7dd9d63fd46e86b9bae358e3

Download Submit
\??\c:\xcclstecj.bat

Filesize
47B

MD5
d57ab625a74a7b8c37b7bba52d8fec76

SHA1
34ef2ed4a52add27aae877f7bccbc118bfb2d2cc

SHA256
c5730d339a33263d66bf06698821d9e81d3dfd8093862f8f61bc75f8a919843a

SHA512
8e1d7a3c5f3e2af80d7c023d4d671a42eaf1080eb24340f34b1bc31234e0852f5456b4fc128c9a6d7418e3ce3554391fcbb68ccd3084ca544be90967da19eafa

Download Submit
\Windows\system\xccef090131.exe

Filesize
151KB

MD5
2ae608629f862ea76773f3dc2ad90721

SHA1
c9d57adeca4e325373d6e684f686b46350ce2c55

SHA256
7bc4a0f1e57be920e2dec8d3297e481ded4455ce2a2ee511b646f7dc250a46cf

SHA512
a470df36ae484ce9024784dcfe82da0648badd853fc31507d4862c0d043494dfedcf87bd0faefae9d604e0c48ba151e74030c91f10355f1cc914fd3178e4ad42

Download Submit
memory/1292-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1292-3-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/1292-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2156-4-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2156-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2156-59-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2156-1-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2156-13-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2156-9-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2736-982-0x0000000000090000-0x000000000009F000-memory.dmp

Filesize
60KB

Download
memory/2736-62-0x0000000000090000-0x000000000009F000-memory.dmp

Filesize
60KB

Download
memory/2736-91-0x0000000000090000-0x000000000009F000-memory.dmp

Filesize
60KB

Download
memory/2840-107-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2840-92-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2840-81-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2840-501-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3000-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3016-69-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/3016-102-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/3016-70-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download