7bc4a0f1e57be920e2dec8d3297e481ded4455ce2a2ee511b646f7dc250a46cf

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
Size

151KB
MD5

2ae608629f862ea76773f3dc2ad90721
SHA1

c9d57adeca4e325373d6e684f686b46350ce2c55
SHA256

7bc4a0f1e57be920e2dec8d3297e481ded4455ce2a2ee511b646f7dc250a46cf
SHA512

a470df36ae484ce9024784dcfe82da0648badd853fc31507d4862c0d043494dfedcf87bd0faefae9d604e0c48ba151e74030c91f10355f1cc914fd3178e4ad42
SSDEEP

3072:fnBoB8+uWRGyVvDSnFw/LIxt0cBGHjRAVCXOqfjiNSzgiN+LfOla7NAOtLez:pFLWnV2wTaYjRG7i4f+a7p8

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	xccef090131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\xccinit = "C:\\Windows\\system32\\inf\\rundll33.exe C:\\Windows\\xccdf16_090131a.dll xccd16"	xccef090131.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	rundll33.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	xccef090131.exe

Executes dropped EXE 3 IoCs

pid	Process
1792	rundll33.exe
4748	xccef090131.exe
376	xccef090131.exe

Loads dropped DLL 1 IoCs

pid	Process
1792	rundll33.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2208-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2208-5-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000c00000002350b-68.dat	upx
behavioral2/memory/4748-75-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\rundll33.exe	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\rundll33.exe	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\xccefb090131.scr	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\xccdfb16_090131.dll	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2380	2208	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	82
PID 4748 set thread context of 376	4748	xccef090131.exe	92

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\xccdf32_090131a.dll	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\xccdf16_090131a.dll	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File opened for modification	C:\Windows\xccwinsys.ini	xccef090131.exe
File created	C:\Windows\xccdf32_090131a.dll	xccef090131.exe
File opened for modification	C:\Windows\xccwinsys.ini	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
File created	C:\Windows\system\xccef090131.exe	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2345983619"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117601"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427199440"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117601"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2348640274"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2345983619"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117601"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	xccef090131.exe
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B7701A29-3D14-11EF-ACAC-DA99471DDDDE} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe
376	xccef090131.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
Token: SeDebugPrivilege	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
Token: SeDebugPrivilege	376	xccef090131.exe
Token: SeDebugPrivilege	376	xccef090131.exe
Token: SeDebugPrivilege	376	xccef090131.exe
Token: SeDebugPrivilege	376	xccef090131.exe
Token: SeDebugPrivilege	376	xccef090131.exe
Token: SeDebugPrivilege	376	xccef090131.exe
Token: SeDebugPrivilege	376	xccef090131.exe
Token: SeDebugPrivilege	376	xccef090131.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2648	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2380	2208	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2380	2208	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2380	2208	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2380	2208	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2380	2208	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	82
PID 2208 wrote to memory of 2380	2208	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	82
PID 2380 wrote to memory of 1792	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	86
PID 2380 wrote to memory of 1792	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	86
PID 2380 wrote to memory of 1792	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	86
PID 2380 wrote to memory of 3096	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	87
PID 2380 wrote to memory of 3096	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	87
PID 2380 wrote to memory of 3096	2380	2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe	87
PID 1792 wrote to memory of 1976	1792	rundll33.exe	89
PID 1792 wrote to memory of 1976	1792	rundll33.exe	89
PID 1792 wrote to memory of 1976	1792	rundll33.exe	89
PID 1976 wrote to memory of 4748	1976	cmd.exe	91
PID 1976 wrote to memory of 4748	1976	cmd.exe	91
PID 1976 wrote to memory of 4748	1976	cmd.exe	91
PID 4748 wrote to memory of 376	4748	xccef090131.exe	92
PID 4748 wrote to memory of 376	4748	xccef090131.exe	92
PID 4748 wrote to memory of 376	4748	xccef090131.exe	92
PID 4748 wrote to memory of 376	4748	xccef090131.exe	92
PID 4748 wrote to memory of 376	4748	xccef090131.exe	92
PID 4748 wrote to memory of 376	4748	xccef090131.exe	92
PID 376 wrote to memory of 2648	376	xccef090131.exe	95
PID 376 wrote to memory of 2648	376	xccef090131.exe	95
PID 2648 wrote to memory of 744	2648	IEXPLORE.EXE	96
PID 2648 wrote to memory of 744	2648	IEXPLORE.EXE	96
PID 2648 wrote to memory of 744	2648	IEXPLORE.EXE	96
PID 376 wrote to memory of 2648	376	xccef090131.exe	95

C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\inf\rundll33.exe
    "C:\Windows\system32\inf\rundll33.exe" C:\Windows\xccdf16_090131a.dll xccd16
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "c:\xcclstecj.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\system\xccef090131.exe
        
        "C:\Windows\system\xccef090131.exe" i
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4748
      - C:\Windows\system\xccef090131.exe
        
        C:\Windows\system\xccef090131.exe
        6⤵
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:17410 /prefetch:2
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\Users\Admin\AppData\Local\Temp\2ae608629f862ea76773f3dc2ad90721_JaffaCakes118.exe
    3⤵
    PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C5RYTORX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\inf\rundll33.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\System\xccef090131.exe

Filesize
151KB

MD5
2ae608629f862ea76773f3dc2ad90721

SHA1
c9d57adeca4e325373d6e684f686b46350ce2c55

SHA256
7bc4a0f1e57be920e2dec8d3297e481ded4455ce2a2ee511b646f7dc250a46cf

SHA512
a470df36ae484ce9024784dcfe82da0648badd853fc31507d4862c0d043494dfedcf87bd0faefae9d604e0c48ba151e74030c91f10355f1cc914fd3178e4ad42

Download Submit
C:\Windows\xccdf16_090131a.dll

Filesize
35KB

MD5
5b92b330f4c0041beefa085616115d77

SHA1
9518f3a58c9326973e6cccb53e3f521abdfe55cb

SHA256
f3103d8d33c9187c5e3388d7c16fb16b9bc7d6d2a39269fe7a5a38cdabbc70ec

SHA512
8a1d05573a6aa789a065df954bf3f1a5fbd591ba9226b5906ba4c152c212c5e8be447798da29dfe49179375feca1bef96bf2827728294c40f0a4f23cd8e7e319

Download Submit
C:\Windows\xccdf32_090131a.dll

Filesize
245KB

MD5
f5d65da82d030bfdc74bcc9b5301bb17

SHA1
3c62974c94254694d3ef3e5cc79becbb510ae20a

SHA256
55cf8f2e6cbc27217184fdf54ce4909e01857aa9390e7040cb6453ae3f235c46

SHA512
623a010ed159df0d4f286f1ea57771976cc4b568c288e7d0aa31d8b605383012f559d613293107db88145ed6d31c5585f35d560e6a076abdc39b7150d32cd746

Download Submit
C:\Windows\xccwinsys.ini

Filesize
460B

MD5
2830fcbd96a0febbc4bab249ea9d173b

SHA1
384c7a756952268a2e1d2ebf82d43e155a729585

SHA256
18243ab1efe05536fd5434c6baf75cf506180ae8ace10bb8b04764e374a0ad00

SHA512
fac0b6947d0905711070ac7aba96157b53d7f4419c3276b4da71034d8ae47ca777403c2950c49756d91b321be81d87402eaa9fdff04e90c28713e646b828bb24

Download Submit
C:\Windows\xccwinsys.ini

Filesize
61B

MD5
e0ffcda774ceaf4f17db26b0f351267c

SHA1
7257007e83a45f969e7c5b5488ad4e0daea7d4b6

SHA256
9fd82b6a1f43a514d84cebd1caf41c275dd3930ef888917c5e7d541476538313

SHA512
2361ace552945547aef151b44dedd582f7c694da01490faa767ae1223846398e3bd9f431ac294e05f2d26df6a79fe9d4b91d291118679aa14ab8915dc9538f41

Download Submit
C:\Windows\xccwinsys.ini

Filesize
351B

MD5
9ca65ea28b26551ea111ced0a12c3c8a

SHA1
19e54d74a9f12e8b44e83fdca919027a6e11469d

SHA256
a4562466946d140102aa2b479c90c684e3ba30b23a8c68990fd654d727c94b02

SHA512
75c328b7f2a10ae27b921d0a97d7c9ad1b5347a361d550b8b79df57a61a36372628d0fab4f8466003cec6ea858856af5eace77ecf60a37d3ee23fb2ab83bdcdf

Download Submit
C:\Windows\xccwinsys.ini

Filesize
400B

MD5
e18118bb842592c56949bada4f89ec39

SHA1
01ea21ae036984b16302cc5999e1bee7735950cc

SHA256
bdd1dece61ea2f3ac6cfc74a9e0ab0683e50a05f4da259e8d930ebbcba50e945

SHA512
827f04d136c76fd113790a5ae6aa4a9ce32d3bf2114966074210e0e51efa3e3a850220caa5811cf5c9a3234cc124ecd8778db11da859d719a2e593987c0dbf51

Download Submit
C:\Windows\xccwinsys.ini

Filesize
433B

MD5
2ce220c52d3d10f0445701cbed99e1e8

SHA1
bca9b6023ae8d7c680116e515cad181af8155936

SHA256
e9794fb4934570e12f786ce8622df418889988f140f2f352cfba3514274e9a79

SHA512
0b0a27efa9ae99a32d7110b1d2e2780411b7bdfdb4cce9ef13897c8eb368b12d7e6a4cb0b3769d2563fde0410c901ab167e0e809c359386b5d4aa1b04182f3ab

Download Submit
\??\c:\xcclstecj.bat

Filesize
47B

MD5
d57ab625a74a7b8c37b7bba52d8fec76

SHA1
34ef2ed4a52add27aae877f7bccbc118bfb2d2cc

SHA256
c5730d339a33263d66bf06698821d9e81d3dfd8093862f8f61bc75f8a919843a

SHA512
8e1d7a3c5f3e2af80d7c023d4d671a42eaf1080eb24340f34b1bc31234e0852f5456b4fc128c9a6d7418e3ce3554391fcbb68ccd3084ca544be90967da19eafa

Download Submit
memory/376-105-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/376-98-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/376-88-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/376-77-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/376-76-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1792-81-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1792-128-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2208-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2208-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2380-62-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2380-6-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2380-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2380-1-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4748-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download