e9885eff0f3c78783aa6fa5722afac281cdf290ea8dc2e2d851aa15c271467d0

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
Size

4.3MB
MD5

dd9aa746fb729cab86eacfc6e2b8f817
SHA1

60579e4292a237950abb39f56fe4243349fb5e9d
SHA256

e9885eff0f3c78783aa6fa5722afac281cdf290ea8dc2e2d851aa15c271467d0
SHA512

cd335ad5ba7815191a248a0bfec0c5f16c43aecb1eee4d694b990d3af96385d4dc2a6051b5c3d0edcd2db07b9b0f0b611243f2b5f240e1a4635d678364676240
SSDEEP

98304:2M5axOmSpr6kde2kNeRQRkbYUnhjR6zZGqhgs9kSSOh2+lCsckyVFVQoU:ZmSpeDeikbY4KzZGqhgFSSOh2+lWVFg

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Loads dropped DLL 25 IoCs

pid	Process
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MedicCopMain = "\"C:\\Program Files (x86)\\mediccop\\MedicCop.exe\" /Scan"	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mediccop = "\"C:\\Program Files (x86)\\mediccop\\etc\\mcAssist.exe\" MedicCop.exe,MedicCop ¹Ù·Î°¡±â"	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\mediccop\etc\mcReg.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\MedicCop.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\MCmonRemote.dll	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\mcMon.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\inter.dll	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\vsdb.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\MCFilterDriver.SYS	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\mcAssist.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\Uninstall.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\conf.ini	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\filter.dll	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\pwdb.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\UpdateMgr.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\MCAutoUpdate.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\avmon.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\Lang\kr.xml	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\addb.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\MCreport.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\adsub.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\db\adtc.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\MCUpdateServer.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\SoMCUpdateServer.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\avsrv.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\etc\avsrvc.exe	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\mediccop\partner.ini	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\Ep.dat	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\MCEngine.dll	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
File created	C:\Program Files (x86)\mediccop\skin\default.avs	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a46f-101.dat	nsis_installer_1
behavioral1/files/0x000500000001a46f-101.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C1F08FB1-7182-11EF-959A-C67E5DF5E49D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DCB1001A-A385-420A-8A87-475A66CFF101}\Compatibility Flags = "1024"	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DCB1001A-A385-420A-8A87-475A66CFF101}	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1680	iexplore.exe
1680	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1680	iexplore.exe
1680	iexplore.exe
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1680	iexplore.exe
1680	iexplore.exe
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1632	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	28
PID 1824 wrote to memory of 1632	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	28
PID 1824 wrote to memory of 1632	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	28
PID 1824 wrote to memory of 1632	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	28
PID 1824 wrote to memory of 1632	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	28
PID 1824 wrote to memory of 1632	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	28
PID 1824 wrote to memory of 1632	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	28
PID 1680 wrote to memory of 1800	1680	iexplore.exe	31
PID 1680 wrote to memory of 1800	1680	iexplore.exe	31
PID 1680 wrote to memory of 1800	1680	iexplore.exe	31
PID 1680 wrote to memory of 1800	1680	iexplore.exe	31
PID 1680 wrote to memory of 1800	1680	iexplore.exe	31
PID 1680 wrote to memory of 1800	1680	iexplore.exe	31
PID 1680 wrote to memory of 1800	1680	iexplore.exe	31
PID 1680 wrote to memory of 2492	1680	iexplore.exe	32
PID 1680 wrote to memory of 2492	1680	iexplore.exe	32
PID 1680 wrote to memory of 2492	1680	iexplore.exe	32
PID 1680 wrote to memory of 2492	1680	iexplore.exe	32
PID 1680 wrote to memory of 2492	1680	iexplore.exe	32
PID 1680 wrote to memory of 2492	1680	iexplore.exe	32
PID 1680 wrote to memory of 2492	1680	iexplore.exe	32
PID 1824 wrote to memory of 2108	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2108	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2108	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2108	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2108	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2108	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	33
PID 1824 wrote to memory of 2108	1824	dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd9aa746fb729cab86eacfc6e2b8f817_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn:"Mediccop ½ÇÇà" /xml "C:\Users\Admin\AppData\Local\Temp\test_saved.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2108

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1800
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:2831363 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
8cd796a304a805d1cfcc0f74a7322f3d

SHA1
643266cbe67792dd1ea85b1caf8029fa6e033cec

SHA256
bb9ae2e2de82059f52d458df1798012bbc188e0e77addafb17156a6697bf0b80

SHA512
8be24ea704c8c8491e07e48925d2c4d4da015c92d3685215f7679f2810652f2dc2ab612986321fb375c97652d40cb50ed8b13ec1129f438b87ac61de51590d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\test_saved.xml

Filesize
1KB

MD5
27b68f3b66ef58fe976d8448e042ea19

SHA1
47a2be0527a0ec31d59e46fcd8da46ff3187b554

SHA256
075f1a2419f550222ff395e18d0d4efb4a5bfcb1a310aee8dfebe5a6a88af8a1

SHA512
90a7f71d24113de991b46f5c54a61ecfebf3b976dc862c7f9f8353493ae8f1e50cc184975ae2d292db4d03dd9adc4356124a221504828ffe81c41bf6504815af

Download Submit
\Program Files (x86)\mediccop\MedicCop.exe

Filesize
788KB

MD5
b90a64f28722aed021abc9691551cc39

SHA1
1fa7b4004a0e997640637211bc01778bb26fd18f

SHA256
c21e2769b2a17ef048f3f1fdc5dc0d46706c1f2a962f2366a993255a99802ed3

SHA512
ebf41a2dc4a5358f84b46f5882704eb964e49f6c5b5ad88ec6589f68531de57cd23a5896d6327a99d96142d07cc1f9be8bd7231f2a0f699f2880b5c2843020b9

Download Submit
\Program Files (x86)\mediccop\Uninstall.exe

Filesize
205KB

MD5
ccea2724a01a0416ed1a983ddd511439

SHA1
1292353a907061954eca86780df8cda2f5176ed0

SHA256
1b3f6948dec04067286187a8c0e9b18ee6d41e1b3e07bb71aebd3326a4fcfb77

SHA512
09b9bdb8ebd8a9b91ac5717cdc64597794b9e9dfaa6c83eea14cb2276bad960cff79d30643463b26fbec5cbc2ca5795c10dc089f3fa5f9dd4621a80867d0c4ad

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\ChkClient.dll

Filesize
140KB

MD5
3fe47e461bb686693cf440c8815f2a0b

SHA1
9a7d27d47a542b83d00f1e6027ba4c22d496f887

SHA256
5bdefe9a081e5e2f4af73891db6228a6b57e7dd320fac0ae233f5cd741db8a1f

SHA512
687c57e17c4f527b90e8eafa9929fa9ee0a1fa82b2c9ba9c6a6385cfcb1fcdd1e09305acbf357cf61e7dd7e061d581a378d2661ed7df7dbfd554514f04646e61

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\DLLWaitForKillProgram.dll

Filesize
28KB

MD5
9c4b8ec42d89f7557bfd90798ce52787

SHA1
2376dde426ea65aa27c30e304086310605382475

SHA256
ed52bdad7b383a179b9b0e21fefdda2d72695c5263a815d5e1e0bfac6c718548

SHA512
17c12a27a08746755868558c037376dd7e20f03f0f71888c1329903b70975a54f57786c3c32bf88aaf30119f11ed978a6830ba91949e11cfc94fbb5ad95305b7

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\DLLWebCount_new.dll

Filesize
28KB

MD5
f16f5feebd9b431a8bc63456c0ad267c

SHA1
acc75cfa3ed7888334aa2ccf305a6c6c58a08aaf

SHA256
5417af0fc8284e9745650a55803bb34217e314096dc7cedf113c960624ae08ad

SHA512
ed1e62d903b511a29abd5def4419b5afa63699ee2d1c91a9d884ffb01d7debe5981559574cac4885140d1f27f4275be56236f5c6f1c327147dcac8893f965512

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\IEFunctions.dll

Filesize
3KB

MD5
9701818d39318145dd164794ef3a3846

SHA1
7db701f8dc19163d46ba88e8b68d8dbf428a8152

SHA256
3122b0413f74e88518cfd1b9c6e18435dd326ca177a2374b6405df78f43e776a

SHA512
d92786630250e9eb6c47537b09684fa107f959b50d255c7f3952741eb438c3be47e171827d3a4407b049c33c12dad73f8ec381a7265b28a6d8ca101ff702e8a4

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\IsVista.dll

Filesize
44KB

MD5
344d13fd0fdd2d97e8d61960f40a8a30

SHA1
3f0f120203005eea3e8ed1652a6ea8a607ea934d

SHA256
17bb3331e2300aa01666fbee98b9552cec5e46212a4c5a340c0370b93df88f83

SHA512
b4e49c58503532e270cc369f1cbd14d85edd46da5ab034dad730bd4297887dd541d445d2fbf205820e6afbbdba7ab6d5b78b694467554320fd6db8e06fe4f719

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\Ischeck.dll

Filesize
120KB

MD5
6c1f65ce96712e05f64c7a26b7adee36

SHA1
6cea6c2618fb31902c52cb1d5fad04503bd34ed0

SHA256
544f3c2c03f7900539d4868437f8e08204c0b4c79357af666a1fb48d406c1ffd

SHA512
5244d26d013dc2c7083bd4c167cac99307985babcabc1806a898a2621fce6b73d256b21d549bce8744f3221a51017ea5f621d2f6f5cd5aae83ec21ae41e5d5a6

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\KillProcDLL.dll

Filesize
36KB

MD5
6958016193a066833556992077bad4fe

SHA1
5f564945936f99381d7e2408f034f97d069005a4

SHA256
f38c669c87f2a73768a27a01622690997e9d93d5ca3830b349bd24c3ff9f8d2e

SHA512
fd6ab5c341b331b80c940ba97a2cd14547c796933a2df26d3dd87ede1602b86d9f8c37baebd7dd4c68d811199fc96a27ad4cb995bb8889d51af91db9f43ba0a7

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\MediaccopMsg.dll

Filesize
40KB

MD5
ca8789791cd61eac1cb54a27053fe928

SHA1
5981b99fdb0949f5a1a5d9edb94738c9650d9806

SHA256
931cdd908bbe9a4cfca002ba3b9d5294a18d10f88ff5dee52536525803e66de0

SHA512
6940bae0e8797f1b8639e9e85942a43c2936194be8094db41418db7e3e9b87b5c0fd263e1b1ee96d1ee6dd17d2a89a8f9ce7ee8c179192e1bd7063c3c16a0621

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\UserMgr.dll

Filesize
55KB

MD5
130f66c0161e6da46744abe3c0be4d9c

SHA1
d2a44a0cd07bc0c5d81fc0d056d6d45d200896ed

SHA256
955705c8c7188d06af16849e5cc3ceae79ea5d0808cc2851630a54d54bbc01f2

SHA512
915b9135da230ec8d3016ba83bd7102b3f8cb13050189a176f8d4d50363f13584fb971226458bc493cd2df27723c8ab7273effab7d6c6e14d49e735d24d7fac8

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\nsExec.dll

Filesize
6KB

MD5
cdff6b8f9523b6ef9f20fb5f9e90f1a5

SHA1
b25f6e0a19b41ff0a12de8e98e3005bc119d34fa

SHA256
80b2740fb3a21ffab022a96ce6b420019072f8ef3a048fd9dea4a5b64498c0c8

SHA512
62585c6a6103aed10f9a79c016df8cb630c3e37715542b5f26aa1a910771540c9b323ddbba3329db0ecf524143f7a27b782e198ce944317f764be6b9d04b792e

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\stack.dll

Filesize
10KB

MD5
0f61a81a543822de5fcb9a8a43f230dd

SHA1
d01d4a0f542f3c654637fdfe5a574fe1f150ece1

SHA256
46b4a72ae8590b0afb3304cc5c13db0502bc4c4cb02f64f37c79008c17db814f

SHA512
596b7a897ba64c32e26ba6168aa3628aad37b187a9814a286298307d8c42eabf8e8a679dbda558f8b2cdc8676c94ec819256432aa5ad7c05a5387759262a4402

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB1B.tmp\xml.dll

Filesize
118KB

MD5
42df1fbaa87567adf2b4050805a1a545

SHA1
b892a6efbb39b7144248e0c0d79e53da474a9373

SHA256
e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845

SHA512
4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

Download Submit
memory/1824-22-0x0000000000380000-0x00000000003A2000-memory.dmp

Filesize
136KB

Download
memory/1824-126-0x0000000003D80000-0x0000000003DA1000-memory.dmp

Filesize
132KB

Download
memory/1824-119-0x0000000002900000-0x000000000291E000-memory.dmp

Filesize
120KB

Download
memory/1824-143-0x0000000000830000-0x0000000000832000-memory.dmp

Filesize
8KB

Download
memory/1824-33-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1824-16-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1824-9-0x0000000000380000-0x00000000003A7000-memory.dmp

Filesize
156KB

Download