295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Size

109KB
MD5

859c3f171bcb3ed7d10007ec71f98082
SHA1

b02a91d37762e485e02284ad13040522ea41471c
SHA256

295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d
SHA512

9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391
SSDEEP

3072:08jQ/bYnmYQus2HoUqrdT1x/QaiAjnLq845OKzNm:0IQ/b4nqbdB9Xnt45VRm

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf080521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchosts.exe C:\\Windows\\system32\\lwfdfia16_080521.dll tanlt88"	sgcxcxxaspf080521.exe

Deletes itself 1 IoCs

pid	Process
2844	svchosts.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	svchosts.exe
2596	sgcxcxxaspf080521.exe

Loads dropped DLL 7 IoCs

pid	Process
2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
2844	svchosts.exe
2844	svchosts.exe
2844	svchosts.exe
2844	svchosts.exe
2728	cmd.exe
2728	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\sppdcrs080521.scr	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mdccasys32_080521.dll	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080521.dll	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lwfdfia16_080521.dll	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mdccasys32_080521.dll	sgcxcxxaspf080521.exe
File created	C:\Windows\SysWOW64\inf\svchosts.exe	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchosts.exe	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pwisys.ini	svchosts.exe
File opened for modification	C:\Windows\pwisys.ini	sgcxcxxaspf080521.exe
File opened for modification	C:\Windows\pwisys.ini	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
File created	C:\Windows\system\sgcxcxxaspf080521.exe	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgcxcxxaspf080521.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{836D7A01-56FC-11EF-90E9-F64010A3169C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf080521.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429444668"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
2596	sgcxcxxaspf080521.exe
2596	sgcxcxxaspf080521.exe
2596	sgcxcxxaspf080521.exe
2596	sgcxcxxaspf080521.exe
2596	sgcxcxxaspf080521.exe
2596	sgcxcxxaspf080521.exe
2596	sgcxcxxaspf080521.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Token: SeDebugPrivilege	2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe
Token: SeDebugPrivilege	2596	sgcxcxxaspf080521.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2080	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2844	2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2844	2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2844	2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2844	2088	859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2728	2844	svchosts.exe	32
PID 2844 wrote to memory of 2728	2844	svchosts.exe	32
PID 2844 wrote to memory of 2728	2844	svchosts.exe	32
PID 2844 wrote to memory of 2728	2844	svchosts.exe	32
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2728 wrote to memory of 2596	2728	cmd.exe	34
PID 2596 wrote to memory of 2080	2596	sgcxcxxaspf080521.exe	35
PID 2596 wrote to memory of 2080	2596	sgcxcxxaspf080521.exe	35
PID 2596 wrote to memory of 2080	2596	sgcxcxxaspf080521.exe	35
PID 2596 wrote to memory of 2080	2596	sgcxcxxaspf080521.exe	35
PID 2080 wrote to memory of 2780	2080	IEXPLORE.EXE	36
PID 2080 wrote to memory of 2780	2080	IEXPLORE.EXE	36
PID 2080 wrote to memory of 2780	2080	IEXPLORE.EXE	36
PID 2080 wrote to memory of 2780	2080	IEXPLORE.EXE	36
PID 2596 wrote to memory of 2080	2596	sgcxcxxaspf080521.exe	35

C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\859c3f171bcb3ed7d10007ec71f98082_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\inf\svchosts.exe
  "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080521.dll tanlt88
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system\sgcxcxxaspf080521.exe
      "C:\Windows\system\sgcxcxxaspf080521.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b1a9ab965e11710cc6fa275caaa0f79

SHA1
0117213669a711d07cc3bb76070b06814922a912

SHA256
74225f46d7a2d525278fb0c5d2269a2e8ede2ac2e141d80361f86c4f84828538

SHA512
8b2a70ec7842e541ce0e75a373c44cdc4a3be488200ef9b059912ac9223046e13ae84eed7c66fc273530372cdb3a3c7a401c44c99ed0f4c4c93ebf49a9a3d1bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
114d3a5d14ccf1ca67445aaeefa3cfd5

SHA1
62a2ad6df54c789cc617cc3d3c439cc2e0454b53

SHA256
50362f097ae5b28712fc286a58d6ffba103aed8eeca73956ec2b7d724dddd12f

SHA512
614ed38143ff5a4d1ff963bd328bae60e567838f52395458963af0b00a7cf33ac9cd2f0fb86f108ee2c650684e3d2c1b15e600bda848a56bd1ce4af69bdbab6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcc851cfdc5e1ad8256f58f896a83548

SHA1
7d21b9bd40e6e7dc803ecb189a0e66bcce7c4602

SHA256
e06e8527d91a86ff8398fd0bf7b1fbc49061eeeca37abd2461117054289a114a

SHA512
442f1e757fb39a963ee6971d8e5d718473c4229fbf5239e0c3f42e0bbf7d2d69aa347932306f127b92c13f2942f82a869e302202544a538536bd8bd70be591d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e230c261148ffb222a3d6225176cf28

SHA1
2956abfe300a6e4cd440f1b5db975b364f605bcc

SHA256
81a2b2654a99ddbab468e735517108c3987741c94d18c68c570eefec3feaee94

SHA512
de204dc620ed72313fbfbe2838c785fb424e2a6870dc8abe4ae1efb377658e6b41fc8284102df863beee1bcb8f3a2485ac78ec16ce07817ba1ed50c87d8ead91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cda8b80f54a87888f97dcabcfaab6a50

SHA1
748184965b0dd7eecfaee049aa130a92ac743dc8

SHA256
03d41b1947e4889acbbc88baa45e7f756a1f91bf1fd8dfb56facf1c0662fb4c9

SHA512
67886d92e5a893b3823f28748f88e40892ede4c7d32df5e914a45dfe5c50f099fb50c78590b0b21e5501ae8904d1a7d53c8b6ba2507dd34b684f4e153da2600e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1b9b662d7686dcb54107e3f8dfc3af9

SHA1
cf84297a5ba8d5987e70607a6a62667cedf534bf

SHA256
3858fc3413feedfd81a18575e1167d7a8e5bc0e8acc68be89f1fe715dafe0c1b

SHA512
e8994a8884b8a04a690b8e93a6a43cc356e14b8171e691005fec5cb62b05ee4e1b1852ddfb78f1359d9d2591eb7bc4522a0b032187c2f64058b3b563f68583f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0685823f8d4e381d96b15ec7be0cf315

SHA1
8139a6042a1d85a7fc307ad4588fb1580cd477cd

SHA256
94be8dbd624ff78e5c7ccb425d4084ac699c802ab4f4ab45d6dfb8ee2c1b9950

SHA512
e83faf639451af6de6b9eecae7c467c901c965f0da87a7bf5c036c604b2691e958407f5f56e457a5d888d795036f119ed527f2c59de8fc393029a658fe639d87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60c0ea9fe39b68996ced42153e8035b9

SHA1
b2c432bb7f597e7ce6f0c3de1687984796f34ede

SHA256
0f18990a7d6e01070b7b96aaff2aa8687c840bccc9a7f6a4ab5e57dc9d46ebe5

SHA512
ef4211748ba1c58143b428d096fe3da2b7b4ad389129fd81872cf80ac25ae647471e075b0dd40bbd8c43b2411ee1287674bb3144b67639d0369550dd3dd60e44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
641605525ab24d7e9af89f66377f3c55

SHA1
64066ef2cf0d6bf7c020f65970021f0e7940dc17

SHA256
01d1ab4bcaa3cc3e980d163c1bb70ff73c5eb6743f5fde80d14abd37f4d91199

SHA512
74874affa5898c93ecd4932dbac8e1eb1340eed02aa93c82cc9d200e0a6fa72da4f6faa5152bd39fc42df0b4bc0011291f5e901e7808db8a6858b25a85815057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6f47f5a6c9509cec81614c667ba0865

SHA1
8fcff7e9331a8dd88691f8b936e992e8ed556896

SHA256
845c74098d55a0554683c9ad13f355e24a323ffcf45d448cef2caf02a1608444

SHA512
cd891227a453adeba22eda2229cb632e71758427fe2a29806f1e354496d7c907f16c015d5a88f30f1375b27ce4bb8fa59e3eac29d5caedcb976f7715d5359c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce0502f9f51c784161179f9a44305f5d

SHA1
95ff09464bdcc6c46a3e42011c69a107c1228062

SHA256
c4f6e7ea4c8a9792374b4987959f6a1000e67face51ee08e1c818a32d89f33c6

SHA512
83d296b81923ddea3b0179a391156566aa48aa1370c6fcc207d06f47914a32f3fc2a52b5cf7087823f93d42091f8ee96fb4b4092fc2e56dea387f40e3bdb59c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e9aa45575c7d3865ab198bf52e2e694

SHA1
4cc4ff4f00f2540535e386b5ce0217ddeacd9b57

SHA256
5c0aecfef7cf63af65b426d097dd611f7b4f0e29b2c14d40eb36ec37158956d6

SHA512
e3363735ce205e22128ebbed26a629e1eb99acb6b3fec2b06f0d1caf93db008e54083d4730254ab2e4967593f8bb07820a1336bce04f2d23dc6bbaa494580d67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd149e60b8ffe6e9220bb1c413ad483f

SHA1
ea7720255412eac99e4ac003ec4d6d2365b349a3

SHA256
e6683fc27e76930df67cde602c0b765337dd8844122968f28b9e00b413fb6ee3

SHA512
67ea92d2a3b91509e5b970e885c94f977d92d4cc3276342619cc9ebb744bfa9a348745036305e391a3724b5297700e62ed8f8b71b502adbab26ecd27c86544a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e5676a4c2b7d4986977a23088f423cb

SHA1
98da4931195473f87dd7347d3dd7a2f048d3ea18

SHA256
a9b2059216ed0c348a16560834a26116bf842ec737fb3c7cc9b0f6171a89079d

SHA512
48db6a59cc5d55aa52a46cec23c3780449099fd9bdf84434befb8f9feff9dc30fe59477cc25943d627370a5282c4f355940bf7fc219c88cff02da213e8a83a59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4943f68eee616200d37872d5be6dfb73

SHA1
e32aef99e16f4da0429e8698da64863d05491406

SHA256
7df53f5c7d6d4bc2cb80e336566b891ab9e2744fd9bc670fde53db6b9ce1b981

SHA512
5ff8b4a4a5c9d527cf7e85e0a743d765766e8bf6c31a243b9214dcfd1e0bac9f3c0580b35d8540465008c76682b5e702fe23ce66241f3db9d5e39610f6563afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f97967a3ccd2833ae5f2e555bec618f3

SHA1
558ad0fcdcb8b5bc22c15f9edde19ad4eefbc644

SHA256
fd05dc773ff7bd22d1672bb1573e2556829c28288ae5b671da06e4d00d44a01b

SHA512
4030fe2077e2b8ca3c89320e269d8c9e235de59dfa851676cb7966b8421d506073515462138854eeca654c906547daa47cd73c9ecd4047787f4a1b583b228eb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48ad8ee12d346734459f1b012e008111

SHA1
1246bde871298e3f14d96b08e952ba0be29b1d5e

SHA256
92a9c1bcc1eedfe12d08ff02e41369ecb6bf7b88fc545e6db5d246db1d938598

SHA512
3984491e4136b87f20f98fd5c19058b5c8ebd7d230a47223a52fb809face95dfb3b761594266f526f72c8c14fa56340452f9a537f8a34f387906c454ac8bf1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab761B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar769D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\mdccasys32_080521.dll

Filesize
218KB

MD5
b64ce329b1243662ee34c2b15ee00aff

SHA1
a7b4fc826fb785ca8c1be74f665a7204c848b300

SHA256
17353a78a579784ad3194e3d19ca10ad8cbbb2f39bc7651f5f3e264932694a31

SHA512
ccaa27d3db61a8976f43439891afb27695982752cc1bccf5173300584e45a785191f9d991c26e2570acfe08550cc45168301200bc5a76803aad7847e2d8ce8b1

Download Submit
C:\Windows\pwisys.ini

Filesize
46B

MD5
02a44daab973d76f4d098b09bb769341

SHA1
f08c38e8f4204154b5e0abd563e52eb8ac18daba

SHA256
7c0b825425cd7bf72504488463b492b9c8531ea796988fcf7f7f5868a2293f73

SHA512
1320a0f8fbd6ee431a636d932994d53a6253ce9ba8847d0efd7c99f3e2817d2f5edba39cdd6a5fcf7e94938ad0933a2b3eb951a24836efec01fb8a4dc5558d90

Download Submit
C:\Windows\pwisys.ini

Filesize
462B

MD5
e4a597ac6a528195d251d510df8bf71a

SHA1
76a5b62d6b91e31d813cd62d2119430f3fbe55a0

SHA256
37dac674fe56c07abad128bc012f3c3376e530b851a00ff482188d6ca5ff474a

SHA512
2f5ae4438c38186f3abb996325cae79c3abe7208807a8308f716213f73d1c0c70746db623d2c644e9535759f1c5519fb26279700722f6e2b35bf0163f5eaba87

Download Submit
C:\Windows\pwisys.ini

Filesize
378B

MD5
abbaa9a765414a0fdc24dbe9ce532f40

SHA1
bfe805d6ddf84697841ec4755c82c7e9e93f3d24

SHA256
2ef297d5f1d5fc24ab4a4bddedf70e40392a0482f36655599aeabb2a1c142b1c

SHA512
11f82c93d9a40bff0567dbda7abce71c9d691c27e9fcb754b1389ee97a73915bf364e2948038e2bfe0cab5a3881837ba336ecfdec6399027f852edc20f04c6b1

Download Submit
C:\Windows\pwisys.ini

Filesize
412B

MD5
33f58ad13eb73a2db5f5742c1abdec6f

SHA1
95d0b31201ca35e38cac6d72ca948ff570849c42

SHA256
508da3348f05bcc4023b176828f985553a36411b9b722fbc1fa53b70ce3c78d1

SHA512
41d408242301fa7dfa011bbd2c49dadb83cddc690658bad68bb3a1d1c247891ffc73362536628a49e384be9a3303c99956c51acb23af3981af28aaa531e80e12

Download Submit
C:\Windows\pwisys.ini

Filesize
445B

MD5
31455763d54417b06d02539065e0bd4b

SHA1
575d9e0ec77264f5d38d5d2b1aa268b4bf75cd60

SHA256
c355f3d72c07223261bdb91f4e4b6231ee02ea253909c60320cf42e95a40af92

SHA512
e2f85bc5a4d21bd215703ef64bc93243f351dfbe554a0db1140d96d79ac9ea93c03a1d3dbb858a4e5c5b4c6e428fcbf6b558f8ed8eff75638de7899c3d522394

Download Submit
C:\Windows\pwisys.ini

Filesize
472B

MD5
a25c44b3f30a4ffa89d6d568db5c37c7

SHA1
504e0996770abf50e3d998d1abefaa2f295faf09

SHA256
c7edca2797b28452b90536560f9bbfad840ae2fcc17b69850da7e76348f70d6d

SHA512
2b1f5fea7af6e020ed02a55d073e3bc364aa65c9ef1ea90a9b173159e17a07881493b52011a5635fa1f500fb9f015071e0c754ac1f25651d4a50c9f14dcfbfdc

Download Submit
C:\Windows\system\sgcxcxxaspf080521.exe

Filesize
109KB

MD5
859c3f171bcb3ed7d10007ec71f98082

SHA1
b02a91d37762e485e02284ad13040522ea41471c

SHA256
295f9b09881e8d978bc84aaebb18daa0a79f047d013921e9119d361fe4b5443d

SHA512
9bff308eb1ad3e01d4d95bda21f8018398ccafd9d6f6c1d9b209f77a0598f84b2245870184dac8a2278c34f97af38c9d8e36506ae552b29baecc6a84a7e34391

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
a030a092e0004463d8277d9a7f5aa38a

SHA1
544bd23833a144c2bb965b494253aedf2a78f27c

SHA256
09973710a0dbef6e906db4dfa88b531ff2abe02a3af84b37adfb9e0c387a52e9

SHA512
c3306df79ab7820046a9144e7949fb6a5da56f1ca900f89fd1f6ab8f477b24b8364ed01f98f75ea0c14de35a380314aeb9f840b5e4eef77cf6c48a223a31bb47

Download Submit
\Windows\SysWOW64\inf\svchosts.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\lwfdfia16_080521.dll

Filesize
30KB

MD5
545b50208a7058cbf817f692abf5e7ee

SHA1
e1cf5613dee8bb51102a0c0da99bf515db2c96ff

SHA256
329ae4cdebde953f989ebb0a7a815e9eeaf0f5b780cfaa6f4f37aeb8ae7194fe

SHA512
c17cc9d3d69b43fd9cba1465eecc637eba4dd2396cee488be26adb35d93d5926358bc782db75aef1d262094181a9a863f9cc1025a3a7b3c161b76fe3d41149a4

Download Submit
memory/2844-512-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/2844-52-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/2844-70-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/2844-953-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download