46c9ebf6367e5998f13ba3ac4259bc1e67371462ebfc2a2c858278cdb5cb608a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
Size

112KB
MD5

86cd57473f366479770b7e98b5993e32
SHA1

0f1834869ff4b7c453871636a3068ce8f7ca7239
SHA256

46c9ebf6367e5998f13ba3ac4259bc1e67371462ebfc2a2c858278cdb5cb608a
SHA512

93408fb92019b8da7831cabc83537e703066d7319dac1a7d7f07a211a507c28ecfaaa36fe5d99457acf835ab03ea90280c756cca6c3a4c3801efccdce0f23c23
SSDEEP

3072:xq6SMOZ7i/tEzZ7wbPi6MY21hTbrnNwIxsLzO:xIzZ7i/tENaPi6/mTPNwIxsLy

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf080630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchostc.exe C:\\Windows\\twftadfia16_080630.dll tanlt88"	sgcxcxxaspf080630.exe

Deletes itself 1 IoCs

pid	Process
2164	svchostc.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	svchostc.exe
2660	sgcxcxxaspf080630.exe

Loads dropped DLL 3 IoCs

pid	Process
2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
2796	cmd.exe
2796	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\scsys16_080630.dll	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\svchostc.exe	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchostc.exe	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs080630.scr	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\tdcbdcasys32_080630.dll	sgcxcxxaspf080630.exe
File opened for modification	C:\Windows\twisys.ini	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
File created	C:\Windows\system\sgcxcxxaspf080630.exe	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
File created	C:\Windows\tdcbdcasys32_080630.dll	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
File created	C:\Windows\twftadfia16_080630.dll	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
File opened for modification	C:\Windows\twisys.ini	svchostc.exe
File opened for modification	C:\Windows\twisys.ini	sgcxcxxaspf080630.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgcxcxxaspf080630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf080630.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96CAF7B1-5735-11EF-AD83-5E6560CBCC6E} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429469182"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
2660	sgcxcxxaspf080630.exe
2660	sgcxcxxaspf080630.exe
2660	sgcxcxxaspf080630.exe
2660	sgcxcxxaspf080630.exe
2660	sgcxcxxaspf080630.exe
2660	sgcxcxxaspf080630.exe
2660	sgcxcxxaspf080630.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
Token: SeDebugPrivilege	2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe
Token: SeDebugPrivilege	2660	sgcxcxxaspf080630.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1268	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2164	2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2164	2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2164	2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2164	2440	86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe	30
PID 2164 wrote to memory of 2796	2164	svchostc.exe	32
PID 2164 wrote to memory of 2796	2164	svchostc.exe	32
PID 2164 wrote to memory of 2796	2164	svchostc.exe	32
PID 2164 wrote to memory of 2796	2164	svchostc.exe	32
PID 2796 wrote to memory of 2660	2796	cmd.exe	34
PID 2796 wrote to memory of 2660	2796	cmd.exe	34
PID 2796 wrote to memory of 2660	2796	cmd.exe	34
PID 2796 wrote to memory of 2660	2796	cmd.exe	34
PID 2660 wrote to memory of 1268	2660	sgcxcxxaspf080630.exe	35
PID 2660 wrote to memory of 1268	2660	sgcxcxxaspf080630.exe	35
PID 2660 wrote to memory of 1268	2660	sgcxcxxaspf080630.exe	35
PID 2660 wrote to memory of 1268	2660	sgcxcxxaspf080630.exe	35
PID 1268 wrote to memory of 2032	1268	IEXPLORE.EXE	36
PID 1268 wrote to memory of 2032	1268	IEXPLORE.EXE	36
PID 1268 wrote to memory of 2032	1268	IEXPLORE.EXE	36
PID 1268 wrote to memory of 2032	1268	IEXPLORE.EXE	36
PID 2660 wrote to memory of 1268	2660	sgcxcxxaspf080630.exe	35

C:\Users\Admin\AppData\Local\Temp\86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86cd57473f366479770b7e98b5993e32_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\inf\svchostc.exe
  "C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080630.dll tanlt88
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system\sgcxcxxaspf080630.exe
      "C:\Windows\system\sgcxcxxaspf080630.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61bfd88b1b007fdf5174efbee44a535c

SHA1
9a8344bd2101a44451b93d98bb4514145a7e80fa

SHA256
d19b8c37e30bfda4b988fb59bb6036a853403c93be54e40814a60182546787ce

SHA512
d149adf4f5f51dba741aa68dbdf3f36746260f51a16021daf8ac017d8835801f648034835a71d9cc768c01ea855c413afc1997e330ac524c6fb00c32f02480ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6fd71e7d00452858b9df3e7272343a1

SHA1
95b4af2d62c0f2289ce131b04064bc4244ea1663

SHA256
53bf2e3ee0225bb567f1eae56e86e642e91769b71abcff0f91b5afc914571e70

SHA512
1b612f0f0feb0189043b5c1cefbc7c4b3b96cf5f6251dbc6c17e859600a1d1f9be9f0e49d24506ab6fd6f0c6f475f1e0ecef0ef76a724696cb1c473d34245674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b7b71571a2d2a9026d7ea6abb31c4e1

SHA1
f4bb4cdd6d84c9e0d2e48a46cd58168e397175fc

SHA256
70e974d59e977de31a84367ac5cc47750101b188aa3764f61663383fc1ce843e

SHA512
7d88b35b4f96f67cebad8bb68cd32ecb2da24c8c2706e8d6b14c236460e3a31d927a8b35eca8f3c49673cba6567ab8e94ab0c57837bfada32d5f952375d6ed71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e63bfa1853cb0a8f0b71b584ac52e5c9

SHA1
734b501951f5b039adae299f998fcdb20623e513

SHA256
b106353d005f64297ebf9619adc15c7790e8ff1073eb2bf8c62ab92b119e79af

SHA512
3cb290f3f3a919d71e2050d59af30b26a860ba5f08d635042591ce6806f7198d170893188528f685d1c8a1734aa1046c6b5def63c64f8deabdf9dbf13a458e67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61f9d1e6a3859e11afe4ff60dda31270

SHA1
b1fd87ab67a54cbf33612fde1ca05e9b1b96badb

SHA256
34a15e8ec53f1569fc9fb1a88d6c2135230bf64911b48a4eaf4938ea60ef644c

SHA512
aef706fe391e08c1e9ce97c521dbf63fa968e57fe0d506f3a0f3a8173ffaa5179d39d884b4770250dba78be1d2566dbbfac84be8634559dadd0db5cbd36c7b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb484904adf82079adbd2e25b8303b13

SHA1
7fe550a5df876e8bc04031b3308758b3d4e6f277

SHA256
95eb587cc113c3b76ee401ad5abf8f2ac50c07d7faf539d12da40608c9d7a152

SHA512
9937f9edea744f2c48fb2f1108f198666f650b8213de8f78c4fbf9e925e2d7166c2708b1f642303aa3db28f7404bb063dfce62495e0d234d50c2752bbbceb2a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f2d001d39741de045ed2ee6fa901004

SHA1
6b98d3c0379c6463c4adcda695f1c0fb1d968f17

SHA256
a65a6ee930bc15d7e6a3aefc9d249fdebf4b6fa63a06ff70a806bc316de4fb69

SHA512
a0ac7659294ce9f37404409ed72fec7e7ca54814d10cb8a03ea1bcfa0aa03d52f778411ba949a4988d35a70a79d8246f51370d2a81529ce5326e9bad7e6ec2f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e75fea7b149431bfc0fbee4d8232a1a

SHA1
8fed2998a2ea95e0e9a65d75a27e2a4b5a9ce6d5

SHA256
fbe344e61e96852c5e21ee700e09f5a679bb6a8d5b279ff6a35096a2614cc378

SHA512
b19d0c3d35279accc300399e57758c7906e392720eeef7be9de1bdf2feff4690807e343397365b110c28b902d08af5be3a9d5d17457c21d59c6ca339f927f733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e71d798e789813ab8ba9e4407d4e038c

SHA1
40005adf0f8d9acc88c572e5f68aa8e3a9ff216e

SHA256
8c322fff99caa3f9777874d0d363dc19a1a19c01d2929b5666499b11f926e469

SHA512
e190bf7dd4b36d21bf3f2cfe72554df8a3ab7d606249968d905d88014eb59e5fbc0469cd33e0231bc1ae46e4791f94c3650cb53426a135abd8873f1345162831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3912f019cfb66c531e0459b6835295c8

SHA1
65efb4191679679e3aba019411fb8dfe7bda2a20

SHA256
3242726f57c54719a6739d9c57ebb00ad38ccc3712ca32e5c32c200f9579997a

SHA512
8f64ee3fa0a0a7e2b290db206889ac93acedf2b79627c81e0214ab2e018b73ee92be1e914411eb229ad7003eb0198293576bf50758a5498ee51fc97a0d3d44dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ac1517c271928f66c40a4f7d519e706

SHA1
50b3c228b3ccc1f3f4ad7e8737d3d7fa4624f691

SHA256
1e7928f25c1882933a1922d53a3a75849fc74c7dde8577e133b2e119006fcac1

SHA512
a66723ffb5b1bac213f19249cab8fa2e587b2fb1a3e473fc272f7e6ceaa19823d61dbd7d605df94908779d28308d0cd281a4d36226a60d14c1dcdd95f70fd968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4d30a5e061a4155350d9200dbf6b17d

SHA1
b120a6a2ad1e8fbb11f7be157fe444cd9ee0efef

SHA256
0dd49b66fa2f7e23d1b874aa8a0b18ba5556da4e08db4821b24012b0a4767e29

SHA512
8fb3743407d3b699e1c0e48b1f7bb6a4c5977c2e6931f2451631f747cdcc9dec4d683d7ed9e851f7eb6fc5c75d1d7fa6b0aa7332fbb841e249316777fc76ef05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a2360a8257dbdda116cbc1db0ca20e4

SHA1
6345e2852a12ed5d886f1d812a10c91a77982f27

SHA256
f88186c37afebaac6c593f276846033a58f7ed75e21880ca82830ec6a2d13635

SHA512
eef5d12869936c420d81be63e66fb55267f1b4d052ea1f09fe96789b289262cae91a2b6f1914b2160f5ca2ae2d672da126f7d82a8c9b2aeaa4a63d868eee8e5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d0aefad8fd246ac8a0da29ec332ff90

SHA1
b2feef319ea6148096dc867eba1f2ad5fbe89f74

SHA256
f8ce82049c53344621a22d857630b073f7664bd55fca7a80cbe10f0679894a07

SHA512
9999efd7ad7a935f113acb1f111849c0ee8c2b75c7e8ff82ab29568e0bdac9416ff6a4c1927ca306d8885220063acf2a77125167ed403ba2dd301dbd090ea1a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30f19988b0b4b22c5d588cdbd9db65af

SHA1
d8b9b22190cb24568b6bd7841a2508e80848993a

SHA256
4b57929193ffc1794280c61fd4ce2c7ff91d0b27cc998f58d71a1da0bda50e0c

SHA512
257ec68f41af1eeb1a25ff1d35d6832feddbef3a34773242c10ddb1780c9a17dc1a33fa734eb06360446fe3fa53bd9002500242457480d624f17926df631c9f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb016b39958a3fb0c6517c3999e96803

SHA1
907ec32ef23c2a277096d6912cef03a96de80534

SHA256
ee5183ad89557769ca4ea702c9319198adc9074e1bae18c125276cd4f173ce14

SHA512
9c6ac8e034fd94a9d762daac68079701ac7186d3c624b5d163b1e638d3998b72023fdd4a5f2e64aaffe637d9be531b4fe955b7582a8d1b3594f45adf5356d28b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00acdd930be8a8c36b64176e1a386d0b

SHA1
24e00d80a386638bc3651401d6275bb8f0c02b08

SHA256
05ba166591734af66e6b5b0ea82007fa6fd42733a0b58d3b0126878dff11cebb

SHA512
91c726e447eeb28021d4c7fb128b5ea6b1e9442d5b61e8b783f65724c8d3ce29bd0d7729a6294b98f334dccc74cdf781bd694d04c8108285c043d7a85b13e974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
843e26abfdfcf3e800595ad5cb90a816

SHA1
f3d0125dfb0bf72b3a6aa6e2d83b7bb655036ce8

SHA256
515c66862fd5dc259374ad14871c7c5ba3291d2a61784929305792cb3951d5ce

SHA512
927a53234cdfd35fb28e351e42f29f331f29dddbaf306cf39b9aff60ac87bcb8b7549b801ce15d3744b2ed9f08141e15f66489c071990167f95630157891cef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3269.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3662.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\system\sgcxcxxaspf080630.exe

Filesize
112KB

MD5
86cd57473f366479770b7e98b5993e32

SHA1
0f1834869ff4b7c453871636a3068ce8f7ca7239

SHA256
46c9ebf6367e5998f13ba3ac4259bc1e67371462ebfc2a2c858278cdb5cb608a

SHA512
93408fb92019b8da7831cabc83537e703066d7319dac1a7d7f07a211a507c28ecfaaa36fe5d99457acf835ab03ea90280c756cca6c3a4c3801efccdce0f23c23

Download Submit
C:\Windows\tdcbdcasys32_080630.dll

Filesize
225KB

MD5
19efd317486b8ecee11d4c6c7a2c275f

SHA1
ce65042e2723df5724b6a23c6589a7531f78f9c1

SHA256
4222c15eae1e68e8dfa32ca92ac46aa172d864a6eb7e00359e4814654ce90c77

SHA512
cc8aa9705bf0b660b906518b4e6fa7e7d4ef87ea01964f2b2cfb5248bc14b0c6458668508dbc1ef03792c93a402a3cef139608e9405716ba76794d90b83b199b

Download Submit
C:\Windows\twftadfia16_080630.dll

Filesize
31KB

MD5
26b88cfdf33ae711533c666025d10827

SHA1
271dff0f6c3e83b9c017f5c9fc4792a5257095ef

SHA256
bddc85db55326be5bbc0f825546dc6d694840d3e1552bce3acac4b4db34fc08b

SHA512
5787c3aa8c4715da98ec15c4d7d18573ca0bebd3ee10359d96564d874c046d2e01b9593929d2dc010937f4baf2d9d53d27054b1deabe53934cbabccd8dacd0b8

Download Submit
C:\Windows\twisys.ini

Filesize
46B

MD5
70a9cebac5afe6f0b45cb73ff1f4b23a

SHA1
a88b91476a3aca1d5830b75b1576cb2772ba9ce2

SHA256
4af0df4b6ead7950430e7dd66bc1785ca92a66cd77f51fddec7170a28aaa8e2b

SHA512
c298c177cb872bf70252bc91b1c0c8bda1bbfdf826c4953a8453758833cf6248f7193f0cb9c2c40b9d7bec0323edfbf90200c05585ce0f20f277759f70686062

Download Submit
C:\Windows\twisys.ini

Filesize
448B

MD5
a0b47bdb405af66455cd19fd975bfce1

SHA1
f2decb3a78601d4a54a3085408acdedf0e850725

SHA256
3750544bf3c1febae58127022c8380a8a08beb73d312c05d246bb1cd985fa4b1

SHA512
f4a90715da434118e1cf40be78bf5cd59dcdfb803cabf4ad15076f71b06c7968ba6a5c319be8356cc98abdf0034b7abfac2b17b736f300a7404b0849fee3e5b8

Download Submit
C:\Windows\twisys.ini

Filesize
364B

MD5
d8d44aa5e6cb1a7b2d5194d84ec91ba1

SHA1
095bdc3ee31cb85e854aa15cbf915c05d3e96216

SHA256
edc04c9858be8bb3f689456ae7ed4c3d76634667259f55f517df812015583896

SHA512
dd164a0b6969e24a190f7cde7a9106a50dbb451a79c3f5edea82e0baad54cad43cf04b01d5c5c2f896f0244566e9f1cff5c5603fcf079338827fa0390ca78e95

Download Submit
C:\Windows\twisys.ini

Filesize
398B

MD5
ae765e5d9fb7edb4b7a3eac49c8cfbcc

SHA1
455d99c66e74b377ab0b58da747c98358f5b1f97

SHA256
805a693c89b50cc59eac61314295db08dd0c19e7b82458ec00f362d0c8feca68

SHA512
1e05e682ca382c92015c7d30374a5d7b6037ba9cb36c9c72687afab117ac807fc5d8bd46dee63691cdad1e945d285e361c4f71b6093f9b756a084223575c7bfc

Download Submit
C:\Windows\twisys.ini

Filesize
431B

MD5
c870fd1d10d75227d17beb4e64658e7e

SHA1
fef44e3be3cc0051e65230c25e8e1e5167a75e3a

SHA256
3e32c560896db52cedcd341bfe06a08e83d2a5c47827d93497538ac8f6b3ed4b

SHA512
6089fae72801397820a93added22d5f9f096bd6ab4897602aa8e67e4879e31f2bd0f0a094f1772591113328fc1ad7517b61544767ba9b52744db7871e9972ec9

Download Submit
C:\Windows\twisys.ini

Filesize
458B

MD5
95fda2784c1b0fcaa248fa5ff59047cd

SHA1
a540c50811f0801d6b977ff62a9996e34c6ce1fa

SHA256
3b4888ccab73410c5193c697030f3f5f00cd4dbc570c04cc95c62a494b4b6224

SHA512
41cbe9ed91da666b8dcab52c253b90274b38b7ce9574cd1afb4a934bf717e90fcc4cd6ff27eba3c49428dd09b20489f78d381146c2b8dedbc60c5fcb0c318134

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
75220483f38ea3b1e9d028656c66c5dd

SHA1
2cde9a69c6dfab9c197f605d1600a634563f30e9

SHA256
8a03a8689361d6f83a30e3763bdf34588b846c4dc0199a776eee0289dc27ea79

SHA512
70bd1a9c88f50e69b99c00ea6211371042a272c00951b39a495b1c14d240c463c06ddf0bdd2b83688940bfc1c2ca646d4d4c20846e91594983f49ba8e6e8947d

Download Submit
\Windows\SysWOW64\inf\svchostc.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2164-507-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2164-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2164-948-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download