01ec0148bb8be5d6fec78334ee7836d40a6ab5e3404683db61898c8879594ff7

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
Size

121KB
MD5

fb3bd6075083e7293b09cda7229f9d20
SHA1

36aba27e7f0e8d5d6f8bc30b1c76dd7babb4161d
SHA256

01ec0148bb8be5d6fec78334ee7836d40a6ab5e3404683db61898c8879594ff7
SHA512

c97751636703b9b76face63fd7d63fc598be5fd78d1fbc2b0384475c064fb9606814ff5f8483d83d1987fc9b39e3bc9eb51cd4bee5d13f9de8cb05f81a657898
SSDEEP

3072:eO+9PFvuaukkswYRFTJJjlP4aBLpu/3dIT050a:eLNluaNLLvThPHLpulFD

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	xccef080924.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\xccinit = "C:\\Windows\\system32\\inf\\rundll33.exe C:\\Windows\\xccdf16_080924a.dll xccd16"	xccef080924.exe

Deletes itself 1 IoCs

pid	Process
2804	rundll33.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	rundll33.exe
988	xccef080924.exe

Loads dropped DLL 3 IoCs

pid	Process
1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
2836	cmd.exe
2836	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\rundll33.exe	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\rundll33.exe	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\xccefb080924.scr	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inf\xccdfb16_080924.dll	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\xccdf32_080924a.dll	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
File created	C:\Windows\xccdf16_080924a.dll	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
File opened for modification	C:\Windows\xccwinsys.ini	rundll33.exe
File opened for modification	C:\Windows\xccwinsys.ini	xccef080924.exe
File created	C:\Windows\xccdf32_080924a.dll	xccef080924.exe
File opened for modification	C:\Windows\xccwinsys.ini	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
File created	C:\Windows\system\xccef080924.exe	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xccef080924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	xccef080924.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C118B41-7D37-11EF-8D9B-F2BBDB1F0DCB} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433648167"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
988	xccef080924.exe
988	xccef080924.exe
988	xccef080924.exe
988	xccef080924.exe
988	xccef080924.exe
988	xccef080924.exe
988	xccef080924.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
Token: SeDebugPrivilege	1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
Token: SeDebugPrivilege	988	xccef080924.exe
Token: SeDebugPrivilege	988	xccef080924.exe
Token: SeDebugPrivilege	988	xccef080924.exe
Token: SeDebugPrivilege	988	xccef080924.exe
Token: SeDebugPrivilege	988	xccef080924.exe
Token: SeDebugPrivilege	988	xccef080924.exe
Token: SeDebugPrivilege	988	xccef080924.exe
Token: SeDebugPrivilege	988	xccef080924.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1476	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2804	1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2804	1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2804	1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2804	1488	fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2836	2804	rundll33.exe	32
PID 2804 wrote to memory of 2836	2804	rundll33.exe	32
PID 2804 wrote to memory of 2836	2804	rundll33.exe	32
PID 2804 wrote to memory of 2836	2804	rundll33.exe	32
PID 2836 wrote to memory of 988	2836	cmd.exe	34
PID 2836 wrote to memory of 988	2836	cmd.exe	34
PID 2836 wrote to memory of 988	2836	cmd.exe	34
PID 2836 wrote to memory of 988	2836	cmd.exe	34
PID 988 wrote to memory of 1476	988	xccef080924.exe	35
PID 988 wrote to memory of 1476	988	xccef080924.exe	35
PID 988 wrote to memory of 1476	988	xccef080924.exe	35
PID 988 wrote to memory of 1476	988	xccef080924.exe	35
PID 1476 wrote to memory of 2744	1476	IEXPLORE.EXE	36
PID 1476 wrote to memory of 2744	1476	IEXPLORE.EXE	36
PID 1476 wrote to memory of 2744	1476	IEXPLORE.EXE	36
PID 1476 wrote to memory of 2744	1476	IEXPLORE.EXE	36
PID 988 wrote to memory of 1476	988	xccef080924.exe	35

C:\Users\Admin\AppData\Local\Temp\fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb3bd6075083e7293b09cda7229f9d20_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\inf\rundll33.exe
  "C:\Windows\system32\inf\rundll33.exe" C:\Windows\xccdf16_080924a.dll xccd16
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\xcclstecj.bat"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system\xccef080924.exe
      "C:\Windows\system\xccef080924.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fac62c8fa730f144c49241eabc4654aa

SHA1
fae022f6b94b3f1d907a746a320f6bd75544de02

SHA256
81a0ed1a3fe01f587c044c4f2e5bd4d6805622d02813c3da378a60e94894f1af

SHA512
65e55489cd903ba008ef37795914a54972403b91beaf4574cf587c15f2b5a5d2cc1c6df4a3f4bf95475d0afc903292215b285ba383b0523b64489c116e580144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53e5c38897be2b3e6cfeb3cc201cfd21

SHA1
d7c39258b92ed1eacd46a17b97abbb916fb94bb9

SHA256
cd5c44be660fd38d82ebce4aad800ce0c8e67ae54ab119c87da84cdac49882a7

SHA512
3159db3a30155782b853308ea72f2c9bf11f92dd60da5ab046e1017d9bb29ebb809e523092c6bb02d717b2386e1733d58f93610f41c6de8aefebbe7008c5d1b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ed884d3e8cc68f7f593471c8952021b

SHA1
663b5b70165373b35045d8aba0d2a4d5ad31863f

SHA256
e52876b8b5951ccede079ed91bbbd7b5a5e809e65fea9172d436318de672b1c2

SHA512
4cabda122cfda33913333b699958ea741a97798c3a6560fb870cd81b71c4beb2b0aad692715611d93ef680454e0cca432d9a8c6fba70d080eb1b7fe8cdcdcdf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b272de718d1c68dd3e3d3e9a3fb5423a

SHA1
7da63bfe2c06a1716c6e0cf3eb7d333f329252f1

SHA256
bdfc7b736eb793f07228e3107147f369a0f13751b433e1de8cf84e1bcb42e908

SHA512
13d9d07a437fc49817efaaaafe927a8f575141034c5570222d8e584a2f179302246eda96304daabb8319be6dee83e9aa97d2baa9c94eda4c79079bb45abf8450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73c0cb2b4f984d5baa52701bbd7cc01f

SHA1
6473d8e7cace488afb7fa6f2f1da328b2f8469df

SHA256
69e133590fa5dd39de236b193cc68998ea8cc33ccffcbd5061e6c34d2fd7cd15

SHA512
bf52fb5b3abfa9ce6efe66e5365a50491d8c64381df4f2315708645ba9ae5d639a3c8e40e20802b4049053b7acd67f70e73cbee730e94bd7d0c404d024e5cdc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7dc4670aa9a5fcf59c1f97417a7a8f7

SHA1
93dcf0cc2220b775c8a05182409fcbfae5d72593

SHA256
f188d0cfaa50e84e4952e7a17df6308e9df9d97408ecb60211439fb1f8ec5982

SHA512
9338711f84049e0f2ff396c99d9132c6f093489f9e43b1d44edf011b0c049d40f4324b4ecf0424f248e49230742af638eef04815b998a4e61db2be6de6be4101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c3398bbdc94d1af2bb48dfb6d006959

SHA1
4651da952a82f768ca9d079674d8db301eeec00a

SHA256
e48105177263f454d91e1ee4862c2a0d560f8026919f91e35b94ff9f5e072641

SHA512
619a44df448f1e815bb5cc47fc9810e9e4afa0a05b8d5464436062fc820db6697e96fd36f2f460977db1721a60acbde10ce2545f4967bbdcc54a14d131ecf984

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a64451eec1b2debd4448890acee9583d

SHA1
12efd369f6e17be543d83aa11f009677419f6146

SHA256
8652dce90e9a852cfa8647a178edac5be2ae1f6c4e6807a3c4451c45d4bea210

SHA512
9e979dc1d29c48d0ca4d497abcb191cbe88e6d6b8c74b6f16b84494868d187ba3d85bf0e3ffa3070924d00e59a42f32f2a7fe75a2797c0f4758f78396f7a9c52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
487c01563e2180bdd3d27d8601c0d6ee

SHA1
05ca0f33198cf20d713d9e30f81900b2b0296eaf

SHA256
e7b9386c544ad0603d34ab87d357253dca5b1bc7521217369e39dd06b8253de1

SHA512
f1d848278ac33430fd1bd77988c05e7087dac8ef0626bd011334d930437c63b98b85d0d52816cdb4dabc8a09218794a22bcca01c7bcba7d5c8c255de222f5511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ec96558d73408ecbff3dcaeb28967d2

SHA1
297c9dde07c8538b533f109748646620c3b1cb9b

SHA256
bea687cac406807fea75ca72ee7589ecca88a45001c3fd4b21826f4a9c8b7a4b

SHA512
e6eba177866f48795a0fbb531b774ee2b07d0d04406e46a4373e04c022a545d52f3950ce81d4824a4fce396ef4e556422891d24976497eea91efa175b3ddd2b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f168f69d078911b392e5424b685f69a7

SHA1
491f604d50a941094950fa11d4f5d6045cda6a0c

SHA256
2ca7bdfe19ded3a4e12e215c29394752700da9f73cc0d490d0ebd41a2c43d529

SHA512
cb52efe2c401a6f2392d40438a0d5916efe3f9982d9c6cf0679e6797c6b58c99fdbb862b123755ba0f8eb668fb14f149f51162b20ac0b21cb6cb0715dbb9bc54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d041b18af09601845a90aca0fb6128bc

SHA1
8c0e5fc3d7376a52f4cd24ccebb122e8027196a6

SHA256
8e4f55fc01d3e1cf3c028ae3cca1290f506ca33a5bfb0b63ac0dec3c2d3b27d6

SHA512
c6d5953da443e52d338b2ddc5277205420f690bc14f18d5fc9ef233cbed82a324df798064939b3a99fbd37af480c8de5f169a8ac8a438bbf8c47e5db2ee6a08f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d883fa48712d3743d3fac7e93034a676

SHA1
a027072b7957aed98f43fa77fb39e7e7d2293c11

SHA256
e0dfd8347f7ea0409a61e2a626c144a73001dc94c307ee629c50cf45c83a9934

SHA512
e94413ae98367f63a688622495d576e38ae00a2cf15a38c48cd640b4dba97abba490a45818d858c2e13a8f5fee18c4e914d9f374f8795e4351a7818afb0f1c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef1a1054e276da37a13285950e481d6

SHA1
2aa3811d0cb9bc9b13282a0bdcbbc2ab81f34e07

SHA256
53b5e681b6e2041f588a5b00e30e42c9ed3bffd44224669b8fdefaf13bed7b71

SHA512
9b898d5d8b5d7ed1c7a429d84f8e33e7a8b45239a143afaae4b918d28676e0291118ae05657e50f1208115ee7afd5f99218c177e4798e0e596eac9365eb8a65e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be7f17da0847b4b1003eb6aa9c591b2e

SHA1
26a618ea2a1a851a3c7336424b40d28db0d60c5a

SHA256
923ee0cfb4a0d4d57d95d402391b722e4ac888fbf80fd73239b2fdd3c8e07680

SHA512
d34890a2e9ef64b388a18822e741e35142a0f0a80df9a14b1ca222e2a3d9a4cc7cfae42b95723a51662ae94d2c52da7fc6e7df7b14c868834d33035b714a2cfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad8223a9598ce96a70db2e7d38ffffba

SHA1
679ec0b8a7599b9f899449cc77f51490579c70c1

SHA256
01796addc426912b79a504a84395efa1a55cb616e64bd53046da32ce515f2737

SHA512
bd30081841eb5aa0d2d66973768de5395c2f91622e99524e74b2f7f30b3f43165ffd97307a9cfb1d9e2fb39d000ce24c7b50fb068eabf716d12428440df7e9be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6639be202b8815abdaed7897ee543333

SHA1
f7d94138483605c84b33ea3d524e52af8af05d6d

SHA256
83c7ed8a7ed5787367941056d06864f14b9d84bf9e5be466e7e060501ad9a744

SHA512
df78d921fc3dcdae4027b0c86db222182189e908acc72c2caf9a99820ef78005bbc152ef44640688ce93f8b0effa7455d77cf4b347f0c38ba6853edb58e3bf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6164.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar61C5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\xccdf16_080924a.dll

Filesize
35KB

MD5
71b7002f45dedea57de05ec2b6ffd649

SHA1
9f745ed2760d07c6053e40454d2c4e36908667a8

SHA256
c5b6dd6732a5ea07562f770ca27fc089c2c3b39c1708ff86acc7f6d65aadf26c

SHA512
f58b7252e8c99a04d3c3eed3ed8fc57242032be99c481bbbc18ea1c84a2517c4d2fc72f4bd73fb4707f966575b676b300f66ef1b87feb06c8c56913686d86e02

Download Submit
C:\Windows\xccdf32_080924a.dll

Filesize
245KB

MD5
df80b4b53684fa687791d6774cc6bebc

SHA1
be39d32032334865003d740e1e400489aa64501f

SHA256
452fb86323f70230d7174fea568bb79faadd5e9846f959d27cda4b53406674ee

SHA512
09f5d007f7bd3861a81d1816a8e737cb896cd60b8040148ee864eea2974456a548e75b052b66e39712be82a19edcb3fcc88f194e8ff5e6347d6af240c5b69311

Download Submit
C:\Windows\xccwinsys.ini

Filesize
106B

MD5
c285290be5482f3233dbee2f5474723c

SHA1
20ab050ce6f1c5959e39db23d0726ccbb43821a0

SHA256
9dddf4fb242d8cc52c9b0e067838bf6d9aceeb62c9ced39690d35279c2989574

SHA512
bb7da0226959a7f98d4f2b1bd6859b1df1be4ed3745e2d34d68e040a4772f9c9faadefe21a603ca9777c16b33a64f5d1c5304987b776209379544b1345b5a284

Download Submit
C:\Windows\xccwinsys.ini

Filesize
324B

MD5
0a3532517fe17e56e1c300930df566c1

SHA1
557b53b8f8a831dad70dab26632dcb071ae132d3

SHA256
779f4c318491376a2b098a1babce05a71dc8f7a85ba31e281409fcd79d7a3589

SHA512
6bc05083597a996fe1b5410538ee899be2df0938b9ec6d6a1310992493f52fa1e7bbd063c31fbfc531318cdf98ed36d7304183188a62f3656c9a5f79c1960b51

Download Submit
C:\Windows\xccwinsys.ini

Filesize
450B

MD5
d3ac4de3943a0b15ffa5506fa5feb01f

SHA1
f7c4ad3380817274fa02333bd173f74f3550fa53

SHA256
19e656903225489caf63db9e9537c3ae3348431a5206bc7128906f354ae18a4d

SHA512
1adb2698ca7abfd636431e72398ea868091b2bdf327073f9f4496706729c9b3b037ca374048f318a623e96ccc4ca028ae54e9994340e42ea119b38ea89b95730

Download Submit
C:\Windows\xccwinsys.ini

Filesize
366B

MD5
3793c5033d4a0a24e1948052279787c7

SHA1
51cdb3e611de674665a53b07bc96cf4e3a710b46

SHA256
b5c7cd99f309cf25b8123fe41dbad9012c47f58fd86983012910585a5f84a6f4

SHA512
7bca06b051c9fc509fbb24ed89fd4329f00b37f7ad5d72ddebce2a2a3b56e5bd89f913faa22a3dcfbd4ac1a9ae01b61395e194a0fd18c4f453f0a69d49fce986

Download Submit
C:\Windows\xccwinsys.ini

Filesize
415B

MD5
368c89f6dbe5c923cc2c947e9bd2d448

SHA1
7f067c4f82a6aa6bfc255ddab4bb52bf3bc61537

SHA256
f555e449b0d4cf1270df7e22e049def3d0e6b64c56fc352b72ce9d259d990856

SHA512
5b3b230a58e7395a58f716521f93b4ff819ea47f0bc21c84034537911ee80418f8934d184943e0e5b035863a436d143331e45a778f67b8d263ca6a4582f0848b

Download Submit
C:\Windows\xccwinsys.ini

Filesize
49B

MD5
29ba9f9d07429e35ce77edb971a5f349

SHA1
5e76645272cc2fddcdfe3abae2fdd0809dc0f526

SHA256
716a3bb87f7cf28f75ef529ec374882e5af6e485ca7d12447e8780af0cbad3fd

SHA512
1861bcf94e19a1e3d3a98355b67f78ee4d21b6f06f8f5395f49751dde72d0ad22d578ebe545f29b2945d583d214e964e72ecb9e51d90b6cce263d61b9c52ada3

Download Submit
C:\Windows\xccwinsys.ini

Filesize
448B

MD5
6758f3c8831681b4405a7420dd5d6df5

SHA1
9fc427b9f57d242e0fbb0093a50fc6bc74182d99

SHA256
9f672440a96ab88c1818c6814fc94dc9b2790fac38e18dc28c86c411dbe6525a

SHA512
4ded2851702e415a684d166d8423d0c1500c5139b2c784a67ae2e026a765bb589b6bb56d77f6952c5ca2f41a829e91fbfa6dc0ec8b112bf96b8ed993a92115b2

Download Submit
C:\Windows\xccwinsys.ini

Filesize
475B

MD5
50d241e93554c61be7e4c13986819147

SHA1
47587a07067fb3dfc13adc2a657c91da17614197

SHA256
8b9533ca8bcdb8f2fdd38f1ee330a0b4d333a552548ac7f237736a8374499f2b

SHA512
2fe0b0d373e36fd77b01da1472c940e42ad453aced78e686003f85ebc414d13be8106d5b1dc1dd99d83ac401aeb11040581ec2aed16e456c292ef98db55aac7b

Download Submit
\??\c:\xcclstecj.bat

Filesize
47B

MD5
9ca7482fd2dcc44d269f152d851d74c2

SHA1
2158fd9f2b5d8456c8a9ab10e45162bf267397d0

SHA256
d8bf86f7fd2366d1ddbd82a63593b9a8b72a6075540e8ca3585a934e2747a821

SHA512
96f4b384f7577727961d627b569dd9f228bce958a35de034aa764d8528b4d7bf6976ca9727addae431f30c4468bf47b9da3b4808cdf9ff94fbfa5954251e8e7f

Download Submit
\Windows\SysWOW64\inf\rundll33.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\system\xccef080924.exe

Filesize
121KB

MD5
fb3bd6075083e7293b09cda7229f9d20

SHA1
36aba27e7f0e8d5d6f8bc30b1c76dd7babb4161d

SHA256
01ec0148bb8be5d6fec78334ee7836d40a6ab5e3404683db61898c8879594ff7

SHA512
c97751636703b9b76face63fd7d63fc598be5fd78d1fbc2b0384475c064fb9606814ff5f8483d83d1987fc9b39e3bc9eb51cd4bee5d13f9de8cb05f81a657898

Download Submit
memory/2804-511-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2804-69-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2804-76-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2804-953-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2804-954-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download