77ae9a306194983c12c7870e6e6e9853f5ee20f4a496d7dd83404d461441593f

Analysis

max time kernel
150s
max time network
101s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
Size

122KB
MD5

b366059a33151ceeaa20981f73a60b99
SHA1

94c847040c554b0e1a1c941c39a6f68b03398be6
SHA256

77ae9a306194983c12c7870e6e6e9853f5ee20f4a496d7dd83404d461441593f
SHA512

8f3d79eccff8bcb08f8b72fb2ca76caaa80ea3e68008f3d1b02a14b634ef36828d74ae60436767c291b29a2ba646622c9f725b95dd41fc743ad5312277f6bf65
SSDEEP

3072:iNVhsaFx+PuoStCyf9pzESyjX3NiNgSrgL4:iFFFx+uBbEfNC

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf081216.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\maincyucst = "C:\\Windows\\system32\\inf\\svchoct.exe C:\\Windows\\wftadfi16_081216a.dll d16tan"	sgcxcxxaspf081216.exe

Deletes itself 1 IoCs

pid	Process
1888	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	svchoct.exe
2684	sgcxcxxaspf081216.exe

Loads dropped DLL 3 IoCs

pid	Process
2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
2756	cmd.exe
2756	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\sppdcrs081216.scr	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scsys16_081216.dll	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\svchoct.exe	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchoct.exe	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tawisys.ini	sgcxcxxaspf081216.exe
File created	C:\Windows\dcbdcatys32_081216a.dll	sgcxcxxaspf081216.exe
File opened for modification	C:\Windows\tawisys.ini	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
File created	C:\Windows\system\sgcxcxxaspf081216.exe	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
File created	C:\Windows\dcbdcatys32_081216a.dll	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
File created	C:\Windows\wftadfi16_081216a.dll	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgcxcxxaspf081216.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchoct.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D8EB101-5FB6-11EF-B062-D6EBA8958965} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf081216.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430403997"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
2684	sgcxcxxaspf081216.exe
2684	sgcxcxxaspf081216.exe
2684	sgcxcxxaspf081216.exe
2684	sgcxcxxaspf081216.exe
2684	sgcxcxxaspf081216.exe
2684	sgcxcxxaspf081216.exe
2684	sgcxcxxaspf081216.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
Token: SeDebugPrivilege	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe
Token: SeDebugPrivilege	2684	sgcxcxxaspf081216.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2860	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2860	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2860	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2860	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1888	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1888	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1888	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1888	2960	b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2756	2860	svchoct.exe	33
PID 2860 wrote to memory of 2756	2860	svchoct.exe	33
PID 2860 wrote to memory of 2756	2860	svchoct.exe	33
PID 2860 wrote to memory of 2756	2860	svchoct.exe	33
PID 2756 wrote to memory of 2684	2756	cmd.exe	35
PID 2756 wrote to memory of 2684	2756	cmd.exe	35
PID 2756 wrote to memory of 2684	2756	cmd.exe	35
PID 2756 wrote to memory of 2684	2756	cmd.exe	35
PID 2684 wrote to memory of 2816	2684	sgcxcxxaspf081216.exe	36
PID 2684 wrote to memory of 2816	2684	sgcxcxxaspf081216.exe	36
PID 2684 wrote to memory of 2816	2684	sgcxcxxaspf081216.exe	36
PID 2684 wrote to memory of 2816	2684	sgcxcxxaspf081216.exe	36
PID 2816 wrote to memory of 1296	2816	IEXPLORE.EXE	37
PID 2816 wrote to memory of 1296	2816	IEXPLORE.EXE	37
PID 2816 wrote to memory of 1296	2816	IEXPLORE.EXE	37
PID 2816 wrote to memory of 1296	2816	IEXPLORE.EXE	37
PID 2684 wrote to memory of 2816	2684	sgcxcxxaspf081216.exe	36

C:\Users\Admin\AppData\Local\Temp\b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\inf\svchoct.exe
  "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_081216a.dll d16tan
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylbs3tecj.bat"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system\sgcxcxxaspf081216.exe
      "C:\Windows\system\sgcxcxxaspf081216.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\b366059a33151ceeaa20981f73a60b99_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d004fc97a84b5f0d8c698e990eea0e4

SHA1
e5a8b2f97a283c298ee14579453b7e12e99d12e5

SHA256
1ae9555027140667e5bc76c3d498c5e8c65e0233f5e1ab1d83ec55096b6908e8

SHA512
b5cfebe27ccf7d39019ce58b480a3f7619f2ef9683db1958a3201933d7a861b9b855d3449a950d35743db99f06b1f4212c02b62b125c4635b76b2b8524d896fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb2e46cfd86f4299b1048e19cf0b8920

SHA1
aa24e4cfeac5183b04a360368258265a298ea15a

SHA256
da06645b1f9fb2495f3f8a4971c26d92f9381e2057d0cef5ad0e07e94e51093b

SHA512
2a2336382d44c76372bd2fad878afad24cc82f18a9cb316fb536bb16c016710a92aedc7df1cda0ae5215082c74c1b71a32504330c61262458a1e2292d8e9a0fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be088091280e3c0a00a96e89205abc67

SHA1
7a0fd10cdd9c777e21bd44fa0da4b1adf09e910e

SHA256
f61cfa60af67ce4b636957537625f5a4c986f6497801ce46f0c7f0323666d9c8

SHA512
bb0bd3a46a24be0198693616694ccb719f8a1c288bb26a596103721c0b27dba2e31f7ad2a012e89e8349e2ce9d09a002581ce2e28afd88b545bd036ea52889d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f130592710407b95928ea3ea3a64b419

SHA1
2c81b5d1b145da584a21ea802ed4a5a8edbf306a

SHA256
6a3e0aff92aaf10606746f126d2babdee1feb98c265e7cf905fee405f0e6f44c

SHA512
fe9f6dfad779954bee93d6cb508591247fe9c0aabf6d685bb5497fe04892a7e304c3bcd4e0c943764f1ffcb7a60008526fd907710247cb9b52a9fae8e6b32b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cbd2c3371edd690f6c8e522fd04844d

SHA1
4530d57c456c85a2e53b1dc6e3af440a087dcf37

SHA256
cc77abb73ae6c0fef88c72123159745f9f4a2728875efa35246b7f46f4261ee7

SHA512
466ebe85eafe049518a52999c1b82f9d14527af4887a73c895acfa0ca2524e7bb37524215e967390e44f4682919037360391f4beaf6139de49f1d5d3b7552922

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30e1b8f94f7c9d9418ed954dcd3bbe4d

SHA1
9043d8121b9ae7a5ffdbe877a8b29ff296d63da0

SHA256
c8a9dca26a9ef3f12f1deee5d506e60520e8fe1b9c8835be3d74ad13073f414f

SHA512
b85cc9e2747420555e434ae202b27113ea4358be97f41fd31de8288c311a55ee7ce1f88b5cfd198b5aa542a34bc716dfbadb71df0c6e3f62b87c7a878e01b0e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
879a591eebfe9ba8a875c2a19ebe9c0f

SHA1
6d14e567ef606ce321eece8777267d30b88403a2

SHA256
a218e70cd1351efc41dc0f774edd37fe432b451542f18d9613ecb8eb56fddd38

SHA512
d08f8b34d130044e5e7f8c6187952e54365748e544eb7415b3a8e993940c04ddc9d41f977293a43200814854fa683b4ad0984b7f4101d1559c04d80128eefd47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e955f3b381c25dd5bc2107766119effa

SHA1
309bf24c37ce98d5a5df2bbde97dee20a11a1b34

SHA256
f3f45f72f792e1e24c3e0d7cc0d3eaf7c0884003f3259fae1c607c1d5d8087cf

SHA512
3e1b65043767e053f108070f2d9e72826351ed00e715852f8e3429ea6b92c667570f89ef6ae52b181111042236e1531565ece7cfbf5d983e74771889f34f3784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51d5f2b47a702161a53ac6a522569d8d

SHA1
3597816f9de511a3b47a907dda6eb0f5d92df88d

SHA256
8ee76de4feca1ad6a211c16e1f79dcaa7216736c3736d0c20426c437de0b5719

SHA512
75509b457430cfd9583a0442063229dfec7fa994939979e37f20253535ab22a512e15052fb56bf30d295df12c0b0f33ac51966b60e7071a42a10dc62349def7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c6733e07f6f7f863f55fca5247858fb

SHA1
61f4b618de628262341f757eafecca1e4bb0deea

SHA256
3940705ab764909bcba727dbd6a311e417525473ed5687612b1d6a7e4b70a73e

SHA512
74c3cc6441fa9b2c1f676aa7f1a8307f195e5ed555a98dc76b6fadc41bf851d08fb901f03f4d529bbe6b6ff068855cb818b0a2327126a1f81ed0da1fc1026a9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3340e122fff16872452b7bae24adc6b

SHA1
17cd1733b2df76953bc4fadce5e88a2dad07858a

SHA256
b47d01ce42198dd8b5aaf9e61603f5b80de0a67ff918f1643cb3009ddaec267a

SHA512
73d1e02a1deb739f8a4642ecb8e7e7a77636f1f337815c648731eae554c1b0fb5bcb2852f5bb3491097110c9b3de96f5ea0062ad8a52688417023e62d0f15dc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6964ad51d1a35e403a32c23b4f06582

SHA1
c8145cdde5f47f6786b4246bccd202d66daddcf7

SHA256
62aa160b166fa3f913eb70ee463490027916e84f50f532576973c3fe2a25a485

SHA512
ecdeed069246b30b4ed6a680594d2e10146cb5ca7a9fe1bef97aa249aaa3d097b4fecfe735af8b2b76ea72c14977262293a60e21758eca6f4483afe32bb132d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
981d65ba8fd96726589fb0b4e0a1b4d6

SHA1
5d445d8c19fc75ba95942ba0bd9819abc1d5a57e

SHA256
e5f207e7dba262557aa69a435699128ef726a99d3ec1386a9aaf2b0d4b798f86

SHA512
38bb1be5b06c003a69d1ba2b05288a65b4b0a3877898554e89f1088d032541f26f92ff9797cd637c9b5a382542bbf6b0194579199c49d6658490c07366e6e866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9f14673f6ba16880b74a18350160592

SHA1
78455d67df3abdbb9379b2c6909685415c05983e

SHA256
910e1cc9d703dd07cac8d6ec49f408cf578e2405b4238e1c711220933d23a3d3

SHA512
56ce4d2e16e025e99a5b2cd49486a27dfb58c5f91df35bd33172a9a92c8ac948e861fe4c40b4c7b78bcdf6fac1d5ce7d38423938db5d63b0d267eda842f9bb10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05e34e12fe6d0e7d4449ba6ac1d9b96c

SHA1
dcf86e0363fd3c8eabcd8d88e8e37b0c3767fe44

SHA256
e0e595306ba48108c9ad6e1085da3ff1c782b1ed9959dd5c6ce8d17ea3939423

SHA512
076266fbdacc4ce3c88599c6f67a54d3a7e5fb1a08530e8a68865c1e5ee2391ef6ebbd1465c2dcc46726e8f630cab77a7a3d2977d58043455a3610740854b69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6220.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62FD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\dcbdcatys32_081216a.dll

Filesize
235KB

MD5
e70d485334595eed1dbbff5e23904392

SHA1
bd248aaa7a601f59e1aa88fad28bfc9581eeea60

SHA256
ec0a821c29cf750e8c575e0663f12844fd975ba03e6206f36005d06feb370e37

SHA512
368c20df757da2c3d5e86764b23b3f5247edff5ba41cb6d0fa074cb7e9f75c3f663513341bee5ae1210f2e00a53774515abb17f35f8ad9dc5e2adb29e3ff3427

Download Submit
C:\Windows\system\sgcxcxxaspf081216.exe

Filesize
122KB

MD5
b366059a33151ceeaa20981f73a60b99

SHA1
94c847040c554b0e1a1c941c39a6f68b03398be6

SHA256
77ae9a306194983c12c7870e6e6e9853f5ee20f4a496d7dd83404d461441593f

SHA512
8f3d79eccff8bcb08f8b72fb2ca76caaa80ea3e68008f3d1b02a14b634ef36828d74ae60436767c291b29a2ba646622c9f725b95dd41fc743ad5312277f6bf65

Download Submit
C:\Windows\tawisys.ini

Filesize
133B

MD5
3615566320d0a5a4aaebccce5941bb90

SHA1
edd663085843b061ddf776c52c4574ce7926c38e

SHA256
9187ffc535f88e3603f7df2f244db8b517ef1c59a1989c530c0ef3a669d94400

SHA512
75b550d6246bb9fc34fe61881cfb125eb1718463a47404063099da3399117b4cca2259d701a1577a1899bef70884388f163cae33d6c250cd29d1e96347ea81f4

Download Submit
C:\Windows\tawisys.ini

Filesize
384B

MD5
60144f9957c744a3091dfe5711356c41

SHA1
4ff6aa54262181943f058994d7ecdd877d5dd6f0

SHA256
1f3ac3e66f553ef63f0e3b435ff2fd25eedd1c4ca1f1fdbae3afa3ee4df4d32a

SHA512
f33b3d8c98d09e21c0dbb2f19f46bac22ed702b95724b504438e1dc53d2a6daeeddb5f44f244e32416c6879917306c84d8de93b15de66a393c0f1cacb27fb7ed

Download Submit
C:\Windows\tawisys.ini

Filesize
435B

MD5
ed48f4e31d5915418848a244c17df51f

SHA1
7cc14cedd512678f7ea0bda2011182cf6e192117

SHA256
434731b19866109f35df23b3fd911044b3d619ae9bd708487fbde4da14d6fa77

SHA512
ef8eeea1efe391fd40886362a4afc282569ffdfa59f2206902619d403c6a324110fcfa6e20a0e8fdd7180e312d267f26fe40ad6b1dade5d77f887c6ea71064e1

Download Submit
C:\Windows\tawisys.ini

Filesize
495B

MD5
9c51e500146b26d3d7b50b76aaf302d1

SHA1
18e4bcec05c357f90cb3abbd6f4c99e27d0eff00

SHA256
86b81ae13f12f432047a8ce4a66d59ba11f86d736b1ee943af6fb7941913c67e

SHA512
c7e2fb7b934ddbc72234645f14d670e04d71ce54d0c9a7e8de79f64d82e39bda4fb9b1b9148a082033346f99bffcd6412b765bdf1b5b8ef8720e2533e8e57ca1

Download Submit
C:\Windows\wftadfi16_081216a.dll

Filesize
36KB

MD5
f6d0683ce359019f62c4f86d3e809f95

SHA1
0a23390baf8e9c0337417f850ef1c50c94710dfe

SHA256
13e26e0799cd41c73f2b310b719a9ae31249bb9f4c81d168e6805c5474accb75

SHA512
275e17f1799046c40d3418a70bba2cf1cc8fde1a76877a841774d54c13f08a0205b9da1fb42ac1483ed7fa155fdb7dcc4f5fd12cdcff63e1dff3418882e48605

Download Submit
\??\c:\mylbs3tecj.bat

Filesize
53B

MD5
59175b518c85db49beb6d374527aed45

SHA1
9a5a37af64efa8f8ee82005f7821df881e69fe9d

SHA256
8dc2e4114cc3e5be496a94cdeb5b12d0ea422fe3ae45e938337c3434adf85c32

SHA512
e8f9cc7a13bd9ca8ae6c3fc7858c837dc64f52566aa38839593586b5cd7b810a5f52ff248d0baa83671cdb8dfd40344d41d5061de6ae40ce8b76d0dc65d43ee4

Download Submit
\Windows\SysWOW64\inf\svchoct.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2684-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2684-359-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2756-58-0x0000000000210000-0x0000000000288000-memory.dmp

Filesize
480KB

Download
memory/2756-69-0x0000000000210000-0x0000000000288000-memory.dmp

Filesize
480KB

Download
memory/2860-68-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2860-957-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2960-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2960-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download