9df49e9e2a98fca61c135b1998073458b770c9cca42b2d3f6c91dfd6ab5ccd78

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
Size

117KB
MD5

ea8ae6be1c3aba0a409539166924e54b
SHA1

5dc53713e4d343a18ab6103a8383d5fb74752cfe
SHA256

9df49e9e2a98fca61c135b1998073458b770c9cca42b2d3f6c91dfd6ab5ccd78
SHA512

aff9ab4581a26a07e1ece6552d743e5d7c0e068c1525569803e7d20e6229593ff3f8276b92aa1a1fcae3f9330c96c92d2244759a8fe5e271cd143a0e6bc488d5
SSDEEP

3072:E991btnhShlotSKxbUp7Zn4PrgaiW6gjfApzohK1Rb:k1bFh86tQp7Z4Pr5ppMFEKP

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf080814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\minitnyus = "C:\\Windows\\system32\\inf\\svchosd.exe C:\\Windows\\wftadfi16_080814a.dll tanlt88"	sgcxcxxaspf080814.exe

Deletes itself 1 IoCs

pid	Process
2848	svchosd.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	svchosd.exe
2976	sgcxcxxaspf080814.exe

Loads dropped DLL 3 IoCs

pid	Process
2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
2608	cmd.exe
2608	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inf\svchosd.exe	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs080814.scr	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080814.dll	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\svchosd.exe	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\dcbdcatys32_080814a.dll	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
File created	C:\Windows\wftadfi16_080814a.dll	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
File opened for modification	C:\Windows\tawisys.ini	svchosd.exe
File opened for modification	C:\Windows\tawisys.ini	sgcxcxxaspf080814.exe
File created	C:\Windows\dcbdcatys32_080814a.dll	sgcxcxxaspf080814.exe
File opened for modification	C:\Windows\tawisys.ini	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
File created	C:\Windows\system\sgcxcxxaspf080814.exe	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgcxcxxaspf080814.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosd.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432880169"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{697D9A91-763B-11EF-BD41-DEC97E11E4FF} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf080814.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
2976	sgcxcxxaspf080814.exe
2976	sgcxcxxaspf080814.exe
2976	sgcxcxxaspf080814.exe
2976	sgcxcxxaspf080814.exe
2976	sgcxcxxaspf080814.exe
2976	sgcxcxxaspf080814.exe
2976	sgcxcxxaspf080814.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
Token: SeDebugPrivilege	2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe
Token: SeDebugPrivilege	2976	sgcxcxxaspf080814.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2848	2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2848	2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2848	2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2848	2432	ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2608	2848	svchosd.exe	31
PID 2848 wrote to memory of 2608	2848	svchosd.exe	31
PID 2848 wrote to memory of 2608	2848	svchosd.exe	31
PID 2848 wrote to memory of 2608	2848	svchosd.exe	31
PID 2608 wrote to memory of 2976	2608	cmd.exe	33
PID 2608 wrote to memory of 2976	2608	cmd.exe	33
PID 2608 wrote to memory of 2976	2608	cmd.exe	33
PID 2608 wrote to memory of 2976	2608	cmd.exe	33
PID 2976 wrote to memory of 2992	2976	sgcxcxxaspf080814.exe	34
PID 2976 wrote to memory of 2992	2976	sgcxcxxaspf080814.exe	34
PID 2976 wrote to memory of 2992	2976	sgcxcxxaspf080814.exe	34
PID 2976 wrote to memory of 2992	2976	sgcxcxxaspf080814.exe	34
PID 2992 wrote to memory of 1948	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 1948	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 1948	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 1948	2992	IEXPLORE.EXE	35
PID 2976 wrote to memory of 2992	2976	sgcxcxxaspf080814.exe	34

C:\Users\Admin\AppData\Local\Temp\ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8ae6be1c3aba0a409539166924e54b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\inf\svchosd.exe
  "C:\Windows\system32\inf\svchosd.exe" C:\Windows\wftadfi16_080814a.dll tanlt88
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system\sgcxcxxaspf080814.exe
      "C:\Windows\system\sgcxcxxaspf080814.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eb1196abe46635642cfc68f926c990c

SHA1
90d53f461feb100bdb6842a6772c40c8fc7a8a7f

SHA256
e91a0de780932a52ed170a3574f87443fbbbc4ab0db69694ddad8e0144083b01

SHA512
452fbc4e81509622aa8cdc9ae74a981a90d90ce856ddace2111865eafd2c40c1036d27ac6205e9e18f5cef6c0a694ffa35c553bedcba2665658c761ca7a677a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dc18da0b8193f4338fdd12c267373d7

SHA1
95e098de87cc110c0a3bb70dd70718affb1468d7

SHA256
11f1602013b012e3963182ce9d34e263fb65d84b1bd35e94e1062f3ff863c798

SHA512
86055e95a103f4d5c946cb486f68bdbacbe88ea6ef2e62bc3bba3166671af47ad0b8d0384cb90a5136ed46015ccb206bf262ac9bddd752347604242ae9737565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1a4f52fe6e784ecfed49171160b9cba

SHA1
c85512fee9f8aa7dc666b785654b0bc5e873c970

SHA256
ead76a16f799a9655cadcbbb828ac763264f28410157c8f617af2e571ea90759

SHA512
a4658b6541b0d2952904ae71759bd593d8d211a7c2c314b80a36fc696cd2a71ad0b245730ebac65a6fed6f678ff18f04ca6aad83ff5969949b3bccb638836c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8c833d96a6f283d792859882dbc3f53

SHA1
569e8889119c734c37a0f0b5f400a5c6476e2afe

SHA256
842b07ccb6df8b74aa5948a43404275b298f43c98f3fb2fb68235212682fa76b

SHA512
92a413ae80537077f53bd99569b2bbddf131fd02e54f139fb8769f9c430d1a2250ebb0600deb434b135316b53121ba30e3933621cc2cff49bb67ee3d914f0c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ad86b858103c5592067da0a62c1f9c6

SHA1
9d99493a74437616090a9e929de6c94ee476fc0e

SHA256
198836b394b1e0b18c9f83b95eb77fa7c2a8336b8afab981917d29cb226bd393

SHA512
dba92d2150490ba3bae41f12b7d05adc5b30754bcb330baa5d90ddfdb6b49af8e2f7e8a27774eade9994facf2cb0b5f635d2776acf9498bbd359ebe2fab75ac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f21c93832848e450254868e1e3c88e4

SHA1
80820ba603b924cd5be764c7725467d80ae37ba8

SHA256
4dc1c79fc42cfce76cbbaf77bd1134954b137fa44837f42937cdee3bcc7cc4b1

SHA512
a8890acf9da494e0e338668a541d550fd6bd5ba934c2efa9f10b911d519cf4956aee94e9abd98103314ae7ea143068ee089837402da75d7a581966a910e7fa7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a01b2fafe182b741776940b425adef1f

SHA1
14f43c12249eed7541a045b1a9a41dac7f609b66

SHA256
e4925f55c3ca840835ab895f550919696689de7b16e62c96eee16d03b9a2c449

SHA512
15f2e2c35658b10cba72c78f268fcc6aa9dc412e811f162116bd1482805cfb2f81dd5dbb111eb6047e31b0e9b01ce0a7357c061dbca609d7fef4a7e4c5e547c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d060761f58f2dc60791759803d6421fe

SHA1
1f9962cd1d841c6971555569cb306a10ce96d672

SHA256
4ecfb8fafff81896385c5d87aee8c94336c0ffb37264efa4703775ef63148afd

SHA512
bd3dfb72f7479480fede4c6f97374cf6f09ffb7d7a8fe85680f0885ce831d2483e6b5c8e6563afe75e0cc773dce87f0750b859af3b0f420a4c31ffedd233e915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38baffd90f2e458e92ce58662b4802e2

SHA1
0d61c3ce87d28b36f4a11be843584f096830a1c8

SHA256
4f19177b1944c91a136e75a82bf3968e44e314eb3a674c5fb87709e39bd6175a

SHA512
dd0dc86a1465111dc6e5bc8a859a55e37187b5245fe02f7e7b07ea97501a1b7819e762e464efaca820701cfcc5019b930bab318dd9ac03060b817679f61a202d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fdbc6b5b849100fa26836bd3a98d1ae

SHA1
b4b18addec1d49c1ee7f15875366d871f5358a11

SHA256
fce55534deb170319aab1450cadd4003c8cbb6cafdee974e257514c0a3c028bb

SHA512
235123138790bc215517820237a0e9742b96b14f2926edbe59d8a2b85c3cb2ea0821749083af55a851c230189ad74fc56a53bbf2a537863ed7c928088f093cce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38ba49d4fb9472e913d71d9c554916b1

SHA1
670f09caadfd351a6fd7f0e7d8de20e818b7fe43

SHA256
adb9602317d6916d436c8c00a76898706f059ba8c339b8a0f00b546a53965133

SHA512
2deb8bdd41804570ac98f15fe0b5620c071a71c731319e737dd2315e5bb615cae7b56d5b7baedcc898cadd15677fadfcdcbe6230dcc5c670d66109d7e60a5a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cf57050f696d83001b64163a76e084a

SHA1
f0662685a5e04ccbe270e0197dd73f5d25268452

SHA256
55ac0e6939ab64acaff659fa31dc0d0d6bbec241b44c552fa7e0c2c7cfdafef9

SHA512
9b8c0ac93127d6d2639dbbc6d1b678b06b58ff9153a7a11574e3cea45e4313a4d123bf70020592b591ccf81ffcf1fdacf998267e4169549e9b01a6f9a81da15e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
526e1d8d11bce0b0f748681ad0bd680e

SHA1
06f4d2d255c9eee6d602154058efafab8b502e7a

SHA256
e01766f7964056c61d609da0b6cbbb8b7de39f876978521ed48ed1cd96aeb2b5

SHA512
b6660331a9ed517dc28c1b9ae756f2f9e099b63abc3df56180ade97ee5be82497dfa03c20ec0d72bb642eb61db872024d3736f1c487d9c4026b3a51713ea33ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a289d2e8aba0893bfa2b97c65c3af6d

SHA1
1d8a5ba536bbd918f9e64adfe05eb7880e220537

SHA256
f3799d7b38953d3364dc7053c46910bd0ca63cb417071acb0ef31665c940a54d

SHA512
d56143797c86b3ddb01d3d3acec9aebcaac65a0d6d9a86fa3e2b8eaba62fd4e91559677a6535177c4611b25e821e812190092a2d9654c1eab2cc0679542a66f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac052cc420ccab870d3e9b5832e6fce1

SHA1
c74ed629ba6cbc3537948ceb11339ad9e334592c

SHA256
e428112343365f035a2c8d6166905824958ea00b5e7cbb276ef226d90573312b

SHA512
977b2aa61c4a418fdf4f1d6aee4390e720089405d56e15e9d8ae6fcd1bcd4ea362e5c5f33c16586960487c79af753335d63f6e381e7d33c090d9b5b5be74e2bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
917912d0d626d57f4931f4d65fcdf8f1

SHA1
1f7e37a44c32aedaa716a0a5fda1bf2891174247

SHA256
df286cbeb9259d58a20be4e3a61ff23a5dacf705bdb6e79798a291cb0b9241b1

SHA512
e2e0e4f07932330d88513a9e4db5fa48f424884e4a7c991bdeca42d01b03c98127fbfe57f12bbdd29385db0ea9ef762045b8a8b752f1dbda946e181c71330aa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b15bb7e2ee968f633e1a1cc52be363c5

SHA1
686a181111901418e72817f417eec03e5e6a6764

SHA256
5344e3e7a19164c16d2535c6c4d48c2b673cb042e40497347eaa84bde50a6be0

SHA512
f23dba3625d0259323251bfe56e604e836f20a31d99b0c2d5b049c5bf0de60b2fafdcc526f503720c8d02e3af9c8473dfb00429160db42104fa5d80964e9d0b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efff9aeea9f2927a7b78bd1de9de506d

SHA1
88030805d1e1818a41dae82451f98c99ae9685c5

SHA256
e475026d90a582e2bffff4c28e87abda573945c86945813d52d25fb86ee82d47

SHA512
76ae6fdb9991a9d81deef21f15a5fcfe6af869f233be5bb821535c7ff9cdb4cfdaadb9a83bd44b3707c0ee67a4627f8e07361c460d743296cb0b4bf11f2b05e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
801d9d1d2fd0f3483dfe43638e1e2f28

SHA1
f2fb2a1ad32e3405c7539f0d825431f87c217a71

SHA256
7e2c5a85e98b1c85447dedf4454eb95698f506e7c43c368e39f5ad964a6dde18

SHA512
5719db07c31776f366241558fb4d88bd400c19291ae38b58c7ca621736cea0142ac42d26feb1dd07c6cc27576450754bb810ecf7e2afc8b612c8ed2df42aa8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD98.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE46.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\inf\svchosd.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\dcbdcatys32_080814a.dll

Filesize
233KB

MD5
c1a4dde8f18b64842981b2905ce2ae38

SHA1
44adb92b12222db9d9df84d8438f592cd9fcb804

SHA256
00dbe9fe8b3d17edafe847474850dc716b4c52dbb581fbacabadf91febfb1816

SHA512
d3501decbeb47f0487fb94ec816dc98d42f98bf332248f6e1010282e3afb1d06eeb1b0d7d6aca45d51c98370a7a9bb6ec0b7e606f0fd15973fdcd68fb816fc93

Download Submit
C:\Windows\tawisys.ini

Filesize
112B

MD5
f53c110b5eeef5e01fdde96815a87d58

SHA1
c7cbc9a945aa4b5f61951752dd946cd6944b00c6

SHA256
c6afa7d8af1103a86bca1d40e2063eea29765366e3e37fe3a52d2208d7d1217b

SHA512
449eef056b2d8d6bb3c50f75779cca812a2af34c1f51c4c8090bcf45d7f8f1967c9958968c33b50907fae90d23be500bc1b40e46dfab2de91a4b514604a6fa21

Download Submit
C:\Windows\tawisys.ini

Filesize
488B

MD5
6735865c8974669a0ad98bd56e4aff59

SHA1
bdaf11a2628308634b75758d1fd5702075e2e453

SHA256
e3ae189e1976bfede9286357e0f6f18ff32ff8d0bdf5b4266867e7d25834643b

SHA512
a975b619a38430405601e66cb1ffd511631e6c245c957c04cd348eddc613df81f8fad78bb8e547229ec4d7ca12109cda735c047b3129ccd72be57b41c381d5d4

Download Submit
C:\Windows\tawisys.ini

Filesize
462B

MD5
52c959a7fa5c5c611ddaaf0b925115ff

SHA1
b4fcf8de4f9d87c8ee5ffb6b289245f02ae482c7

SHA256
401cc0d8a4ed0337f357254c9475dd78251abfae7094bbeb0411d30a21a4ccc5

SHA512
3e47cf467802acaf0cde8351c894035e3a0a5c60f41d6970fb6a4bb2b0dcf3726e08dbf4df9719ac1c6eabe71b42a83893d35aa73fe01f19823d83c3b22e7388

Download Submit
C:\Windows\tawisys.ini

Filesize
378B

MD5
0975bd57bdc54d80e7eba74b267074e8

SHA1
2f78d12f0fbb9656c4a7805411ccc9a0858dc55d

SHA256
2e6bdd3ad32c1b06711476e1e39f148e498b785e702f734409a497118d76f041

SHA512
fe14a9c9e5a169c2acb9f0831317b3bbe5399fd26ad62959ce0ed2010b8fa87576f9aca365bc6c016d9d93d9e8d3465b54760743d1c60c0d94a4b6bc77a2e3a2

Download Submit
C:\Windows\tawisys.ini

Filesize
428B

MD5
12fc606070df472fc09565347eef6751

SHA1
82c304ef36a3de2766026c407dc102312071cacb

SHA256
c04e1ea9ca6991ebeb1a6d4359a0d64dc05d66eeb4468da886eaa35599d41516

SHA512
59576d449c3833379229978f40b10a1a517619e09e8da8722be64ce0e1599cfb511874a44da8ec85ad5052f6c9fcbf08e3866bd482de75d195fcb338cef6e7d0

Download Submit
C:\Windows\tawisys.ini

Filesize
461B

MD5
3da5f9aaf1eab95334644361520f39bf

SHA1
2b77f3fab796289c7a1bf51ea934d3b1e932d264

SHA256
4c240ec3c31a1d142fc6130e211ca80cb70e02d2ce4b00230415b4d6cce56f7d

SHA512
1dd525ff9865fcf728e36513caa24040e22c64357b848167af3bbee141b6423069d3ee3d735180391aa56d0aa788972a5ca752531d0e50d78fbebcadfdaa36d1

Download Submit
C:\Windows\wftadfi16_080814a.dll

Filesize
35KB

MD5
a669aaa5c5d2a814a94b89d0f8e19eb2

SHA1
6e225f173425ca4d06d4757e3783c2d3c774fed4

SHA256
a372488c2cb56e8075fdc735ebfd3ec723f87056ecdd67054cbac38fb9a200bd

SHA512
e083e24da2c135aaaeacc6580d4f8e3dadd28da270ca76078f5e8d6ca83259e6300c878312b4f56e03db6f8d3095a0be3518bc51d446759497d9e6dc0b48b087

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
ce39e790da3f5bfbf44403f6aef61bfd

SHA1
df0ea3450379350f29dd05f12e1123ce8e39958e

SHA256
34a8c1bd7b386f6f53d63423312eb1d92c740a83ae05c699536236ba529560c8

SHA512
33f8cb29dd728dbb11f6bed7f71b27520a69cc6254e6ca42708b35877aa15b4473d8e9025e8a3f5a1256418a9bd3906fd085df26a3504cd978975e420fdbe83c

Download Submit
\Windows\system\sgcxcxxaspf080814.exe

Filesize
117KB

MD5
ea8ae6be1c3aba0a409539166924e54b

SHA1
5dc53713e4d343a18ab6103a8383d5fb74752cfe

SHA256
9df49e9e2a98fca61c135b1998073458b770c9cca42b2d3f6c91dfd6ab5ccd78

SHA512
aff9ab4581a26a07e1ece6552d743e5d7c0e068c1525569803e7d20e6229593ff3f8276b92aa1a1fcae3f9330c96c92d2244759a8fe5e271cd143a0e6bc488d5

Download Submit
memory/2848-69-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2848-511-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2848-50-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2848-77-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2848-953-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2848-954-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download