2018736eacc9d84fea20d31c2e5e1d1762103fcb9bc86c254c1415cb5b6eee14

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
Size

124KB
MD5

3ef580bb31a7a0ecd419e88de1df9a12
SHA1

451fef47679a39cc218facef5b50c75e8680ac9c
SHA256

2018736eacc9d84fea20d31c2e5e1d1762103fcb9bc86c254c1415cb5b6eee14
SHA512

11b856abc6722381afe41ae141dfcb66cca5bc8531c5bd01f26969757ad347e127b1e0853ed3110696dcf2487b1b329a84f724fa58c16598db535906cab48ee2
SSDEEP

3072:ILNVA/8MGsysgMXU6niwnyTfv/AZW7uPeEgyK+or:YM1GLsjijTfvIZWueHj

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf081207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\mainyust = "C:\\Windows\\system32\\inf\\svchoct.exe C:\\Windows\\wftadfi16_081207a.dll d16tan"	sgcxcxxaspf081207.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3004	svchoct.exe
2632	sgcxcxxaspf081207.exe

Loads dropped DLL 3 IoCs

pid	Process
2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
2836	cmd.exe
2836	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\svchoct.exe	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchoct.exe	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs081207.scr	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scsys16_081207.dll	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tawisys.ini	sgcxcxxaspf081207.exe
File created	C:\Windows\dcbdcatys32_081207a.dll	sgcxcxxaspf081207.exe
File opened for modification	C:\Windows\tawisys.ini	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
File created	C:\Windows\system\sgcxcxxaspf081207.exe	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
File created	C:\Windows\dcbdcatys32_081207a.dll	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
File created	C:\Windows\wftadfi16_081207a.dll	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426981821"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{404459A1-4096-11EF-890B-725FF0DF1EEB} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf081207.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
2632	sgcxcxxaspf081207.exe
2632	sgcxcxxaspf081207.exe
2632	sgcxcxxaspf081207.exe
2632	sgcxcxxaspf081207.exe
2632	sgcxcxxaspf081207.exe
2632	sgcxcxxaspf081207.exe
2632	sgcxcxxaspf081207.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
Token: SeDebugPrivilege	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe
Token: SeDebugPrivilege	2632	sgcxcxxaspf081207.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1616	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3004	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3004	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3004	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3004	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2840	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2840	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2840	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2840	2544	3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2836	3004	svchoct.exe	33
PID 3004 wrote to memory of 2836	3004	svchoct.exe	33
PID 3004 wrote to memory of 2836	3004	svchoct.exe	33
PID 3004 wrote to memory of 2836	3004	svchoct.exe	33
PID 2836 wrote to memory of 2632	2836	cmd.exe	35
PID 2836 wrote to memory of 2632	2836	cmd.exe	35
PID 2836 wrote to memory of 2632	2836	cmd.exe	35
PID 2836 wrote to memory of 2632	2836	cmd.exe	35
PID 2632 wrote to memory of 1616	2632	sgcxcxxaspf081207.exe	37
PID 2632 wrote to memory of 1616	2632	sgcxcxxaspf081207.exe	37
PID 2632 wrote to memory of 1616	2632	sgcxcxxaspf081207.exe	37
PID 2632 wrote to memory of 1616	2632	sgcxcxxaspf081207.exe	37
PID 1616 wrote to memory of 2676	1616	IEXPLORE.EXE	38
PID 1616 wrote to memory of 2676	1616	IEXPLORE.EXE	38
PID 1616 wrote to memory of 2676	1616	IEXPLORE.EXE	38
PID 1616 wrote to memory of 2676	1616	IEXPLORE.EXE	38
PID 2632 wrote to memory of 1616	2632	sgcxcxxaspf081207.exe	37

C:\Users\Admin\AppData\Local\Temp\3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\inf\svchoct.exe
  "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_081207a.dll d16tan
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylas3tecj.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system\sgcxcxxaspf081207.exe
      "C:\Windows\system\sgcxcxxaspf081207.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\3ef580bb31a7a0ecd419e88de1df9a12_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b0eb739654114467e8f152b2c8073785

SHA1
e715fe748e7349d18674e78084e2bdae550b5ab9

SHA256
cbf0924dc35cc9a6bf03b2d644b9fde777be978c47d2709e7f51538f049a7fa3

SHA512
cf4ed8b9654c2a9841aed334ddecf21665ca268ff5263af13cbb43f33da9c30043a671a5d133c9aeed24355227d71994002a2b031034e58db1b0eb7c0d086ca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
22bb16c4b30c1cf0c9fb903c54437a34

SHA1
9721e64070d85fdf75939c87d914e7ca634e41fc

SHA256
9024cbd088d062fb037c60ac085fb0db5a9ad2bbe8bb2108bfb818ba805e5426

SHA512
b6b794e29fb5e7cfd21c9405baa61a8404f3a7fa5604c23d6f815c4f4bcf2d7f63bbf78e670a79aeb846af38b08a48e59e9d24fe5a6fe56377db00d99873585c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fdb7e0f46b30ce55fd1a95ba60de2027

SHA1
bfe3fa974f79b7d9174946e21208d0a0a708f8f4

SHA256
daf7649343463db958396b2579e4013c8c07c2b96143ef43781d23e56ed44fd9

SHA512
08bd6c02f8cc49965c7aaa28df83a076a68fb2f5838c65a27c3e8403eb00fd64f6440580d88abecc090f33750e75065c89daa7d10a5d9af39b4dbfdabfbba9be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3de7ac4c5ab96c9654c7796117f7e2f1

SHA1
e8efa51d1fb3610fdec254bd73fef9207323a37a

SHA256
6ef26dddfbec4cffcb3e67a305907fffa6e254faf28ad6935d25ea2272284d65

SHA512
b3d285011fccf642b97f3151b15de5a19924020a54c7be213b36681a3b3e652ec1a8bc01c2651bae42f4ecff8b7d2ebdaa41d79af5e4f85aa5f9cc65dc67d14d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
925922fd5a6b6ba50b29b7a462a2ed22

SHA1
a68319d4ad1382ec286e0413baec76d067d3d3cb

SHA256
3fee3fcde09102148e6193ffd7cad54482268e0726f5372d406604192d902705

SHA512
a0b2e7f556595aaf572e5244ee7481fca7d13a2588c12629b3c3af553619d1da1aa6e4f04a7c52c2e96e331e511bce063b33fb4b19a365a3f82893256139913e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
70773287d53aff8bf4d37cdb5fe88f69

SHA1
e68c9a839d532250c4ba8e60d3d795a9b1924e90

SHA256
a003023a6f163fde9c42a6f0c33610e7731f31d9fd1c4caa25d7c090422890ea

SHA512
c1f10f042daef3da3bdac48d2bcaeb497d85d1576ec08b00fc1ff69c2b9fbc74c714d490d79dea340f53e3b65722792160f31ec1159a960a118c598ce8a8cdde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
28602ec5adb33b338a7e477dae632648

SHA1
d635458d289d7e96804d3634315cf11d161b8555

SHA256
2d163667738d9b0e1117606af6c4290841ab09802bc75123c01529095570a3fd

SHA512
02a57d28f32f05b5453c2ea4063183f7870b055531939cbd8f94972f01e8ab74aa515be6d2b1aabbc641bf54e4b5faf07d9157b35643ba59f4811aa6adcf44d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
373bfe6470f8ebddf77ef8e722acc765

SHA1
6385553724cd9076745e4f26c876fd5de495bf71

SHA256
3c33d4495f8d88f948e8d5017450725b4c6255ea22adb53230ccf6f35f2adc0f

SHA512
5f9de5c30b721b0465da19fef22a3218b4844aa1d55afc122dacd0005ffb4347f2214bf827c26de530d6f7fac07e37b181b3b230d7ca8f384b41e0180d8c523a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b7ed379c570f2c86cab79aacf97f8f49

SHA1
2ab080d844af71df322b35196a6da406531663e6

SHA256
a492d487f02e05a1793adb0ff2b5011d3830844badfae62aec07ff216867085c

SHA512
253bafd5ca15a8c8d67fb79b1689180fc407ec4911f624b0c922ed4e906c551b96ff52d6a2b28abcd55d24f0e003c25f62fe1bbf31713bfbd96a64e98165ed75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c8cb835bb59d4960ae590716d5bcc65c

SHA1
7bd15cc42e6c9e0ba8476496621da09a2d371726

SHA256
ac4465ca85bac623e5c5820ea32512a9e306ad23205bf24ec29d838b5836c8b9

SHA512
44dd37473f94aba47edf502e99772a2622213cb9778b154f0e31096e5940c0c9979fd8a3fb965853202a9b9851b58f831d3f2c3d8e555ba577b8c268d8146ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7b64a75bf08e2c4eeae0d5502e944f17

SHA1
f9530d7a0dd2afc632f06bc01a00529fe36f31d4

SHA256
82c49402c8db8aa4a83c66d738597186dd5e544f62b77e26572544ee7d6e9ede

SHA512
58112b852c314d6b6108a93e551e08fb947db8ed435feddcc72d904604b1ebed76e3d3ea1071645f72575d801986760c517135364156ced7adb4d26a71a47418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
be08881e02bd9392c42977ffb9f7eaae

SHA1
e4257807737d1c5017c49055fccd1bb5c09cf50f

SHA256
bf280fd4473d33f9bdd963af9b3fe6b4063cbdaf5f749db490ddcdbafc9134a2

SHA512
5b2927e57c2334d64f810b0e6916b3f7a9caef26d47ff68e91d293d6f5d5a783a9b1d48ffe0146643bc057069df16734c55365d2f3598237083aad349425e07c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
061320c4b9beac4035c72b1c73178ac0

SHA1
dd6ab61621c9306f772c95cccc82c90662a14a3d

SHA256
7547afeac9b1bf41f0d8373b1210bcf4b1242f0b4c8b5819e5dafba2f9fe5fcf

SHA512
4307cfc0d2f36c80a38d82df37685826f7ccb1bc578b0e9f23dd8c5d07a4aac00ba48f30b4e0fbd71246cc83b3364da7d3351ce4d74c9395537f5f205435eb14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9aa0c48239f1761ca082da56335789c0

SHA1
69ff40563cb58168bc97e0e00689fb63f93d033c

SHA256
0a93785559999ec05999c0cae264a1df4bdc71dce99360169f74c3484692456c

SHA512
3fe671517939a6de31126256adaefaebab8264be1580ede363f7f97dd2876029e87a0221990987626b6fc335f27677b488f889d40a62deceed3125b98d6587f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1efd91a45e0cf64e8a823bec8a294d73

SHA1
105eff370de0c8e2dcb53f467103098c775f9835

SHA256
f47ce6a173629502943f581ebd119b9274f4286b85bcd9e90e044a7f97cfb88d

SHA512
ef5c5870bf65023d73fb0a94674f049499a2698ff1d1e6aa6e4dcd6fcfdbdb1ad97bc9ff7f09812aee6f930e70b52161f1d7798ddada6ec372ddbd9fbffdf27b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
677375bb24e16715fb4c52642e681c64

SHA1
8ab773da4b8b6471e8c889d1c3c476300ae9c421

SHA256
d3bfe8a6ddbe7e6d38a27548db5fa26a1a0fd4fc53d24a5004d05aa59b9dccd3

SHA512
f2958c339a8d78f9d3961160b8f43a938f325653c55bc7aeba96fcb825dac65a6d20edfb41336401b0192a67f76138f29627db065f4661966b70c236afe51cf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c1136179f569926539cc79e41727d3c2

SHA1
5961c21953708ab35d0e9907f38fe251b89c087c

SHA256
46e5d7399e78c53c77567eccaa49be0039ed904bfb8b19762be5ea04df504695

SHA512
3430fbb192a626902cd3210e95afe7805dfb3946ea12c663227ac5eed58099b8d8638aeb8905bd0c125fdfb2e77eb2aa3c27a12557b641b4e0ce6b18ec50421b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
90dce3d1785721366d48cc35a7e1fdcd

SHA1
d17fc8dd219f702149926838e344dad92cdf0e79

SHA256
068b01e1d35c018d2b21805f92ac128eb0415f03a8b1699648b30a5790687b88

SHA512
f99ef55fb203a385da3b48786390ed709d3ca2d509820975d5d3e65f63bb167d23abefea64c91877c1307381971005e4004c09524b7fd9cdf0f575a085593d82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
36d13b4a8ea25282ca58a5ac88c837b7

SHA1
b8394bb4851f6ca9e72d5c0cb391108a7c928e63

SHA256
a6ad54c044e16c67d447b3c107c17d34f5d124891ddcebe004eb007c6e4e7aba

SHA512
271de3799945748843d4f66829113706f0232d6bcd34cdd5b096523e74414704ce1bd893f1ce0ac187c75bd7c22d247bbe24a0ec412ee0d7163277e7eec8f5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab149D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar153C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\dcbdcatys32_081207a.dll

Filesize
235KB

MD5
60ae90145a6bc50790318fb0b074131f

SHA1
6f5b6ab387fde56f099fb88496aee66ac4106108

SHA256
a5b0faef46cc255e80aadcf61ba275bfab81ec521562c34bfebc2c1becd93a78

SHA512
67989effaf49bfad2e28ff10842f42be360d8d4e0d2e0a70fd703d160060ab9be43015a312afcaa01e4e44c570dabe54d9f1705c5ef78973ee407b59aebb9f80

Download Submit
C:\Windows\tawisys.ini

Filesize
384B

MD5
e23f6a4f7b965af905d7e351c0b0ec8b

SHA1
3a08e85973f97fd69e84d1df616c5ba502cb2f89

SHA256
f97ebbe90cdf6f1e1269fde9803dd62267b0537ae678f293ac7932ceb3129d3a

SHA512
6ac58b57278712a14f52420c1af4d76d35e96cd513c57328d53e835d6d51c1941ac76c90b0cb310513ffc047da42a800dd04d46e79317c33fe0fb60a4c2d79e9

Download Submit
C:\Windows\tawisys.ini

Filesize
433B

MD5
d34de41bf887fb72334a0c542a23ef09

SHA1
9d406bd5397f8df8e31281af66775cfec8cbab16

SHA256
4e021fcea72f077712c6912c8541fcebab2cfd9550a02d4b3f0965707c607bc0

SHA512
f20b0489ca533266f3d165a140cc849f6d696d3eed3fd0acc7c980dabb45c1e23ba693dd97031ab380eaad2dc19d2146cb6417071e21c02ec52f588bff167e6d

Download Submit
C:\Windows\tawisys.ini

Filesize
133B

MD5
868797b6ba0b170cdfcebbd7ed0e0f09

SHA1
d8737f0c91e1e5c84122a0e187eaff60d8427b78

SHA256
5973d411b49ceed8d05060752861634f14302a0a65d635b38178c23ad32255a8

SHA512
4b26f77658e449a9b358bf8381617027fc8884818c03ee33d5fa8af23b73c640dccff3c500f88724b9fe7b3d5e3cd4ace4a84bd4293eec1cf920a522f92908d5

Download Submit
C:\Windows\tawisys.ini

Filesize
493B

MD5
144057c45d92f089a256e2cc77f353a9

SHA1
76270dec421527c2de9d86a260ee66cbf57bde70

SHA256
db889373cd9f3df74bc4a2f011ea02d1596bb12618939ebf5a56b42b7d607832

SHA512
1e455f8694cd8dc8b83179fc4450160649d54ba5d36675277a6293c0525b3b8eb70ff6b3b988da9bb86e35776a0b47f93a2d52c943ded63e6825552550ecbd19

Download Submit
C:\Windows\wftadfi16_081207a.dll

Filesize
36KB

MD5
7f2a23d9909f950a1c71d7dfbac0debd

SHA1
f6eb6dc4fad12f793af39be6032b2dfed3e52268

SHA256
d96d0cc09dc769c936182c362ff07b1a28ea79c5e83d103f3072b67f1ec50b61

SHA512
62f1ded32c5ea3dc2a10231dc0d360fde5f55a46d56787a3a32fc221a53e7a29e65cf51e6bfca3612444e9a67a75c2d6593c44243a5d33221f327bfd5b88783d

Download Submit
\??\c:\mylas3tecj.bat

Filesize
53B

MD5
791fba77df97af6aed5a5d834e301244

SHA1
877333337e83d8441521cd8d7fd13e692299035f

SHA256
2b7519863fb197a1736a51a92578e3e73b592cb93541d1e48046bb8b70adb64e

SHA512
08d0d731076ae00051b4584640631724c382ac072c53cf5502a32fd714ce548c26bf3854704bf4cc250a21484c42d35a22dc47a8e3f59a17c10b7e74cf507a23

Download Submit
\Windows\SysWOW64\inf\svchoct.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\system\sgcxcxxaspf081207.exe

Filesize
124KB

MD5
3ef580bb31a7a0ecd419e88de1df9a12

SHA1
451fef47679a39cc218facef5b50c75e8680ac9c

SHA256
2018736eacc9d84fea20d31c2e5e1d1762103fcb9bc86c254c1415cb5b6eee14

SHA512
11b856abc6722381afe41ae141dfcb66cca5bc8531c5bd01f26969757ad347e127b1e0853ed3110696dcf2487b1b329a84f724fa58c16598db535906cab48ee2

Download Submit
memory/2544-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2544-48-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2632-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2632-85-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2836-59-0x00000000022E0000-0x0000000002359000-memory.dmp

Filesize
484KB

Download
memory/2836-58-0x00000000022E0000-0x0000000002359000-memory.dmp

Filesize
484KB

Download
memory/3004-70-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3004-957-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download