62e0c7cc1cb4f9d1edaf9839e49a7bef19679421a3eab6e636676ab959c03431

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
Size

248KB
MD5

1aae227b0f58c80294d1ed62a69bdd51
SHA1

fa83306ddddf7a035dd6e3fc6efb30d8e62e0ccb
SHA256

62e0c7cc1cb4f9d1edaf9839e49a7bef19679421a3eab6e636676ab959c03431
SHA512

5131fe6d5d85b37784f20d9b32f15444d00b8bf841aa4d083d6bcbcef68cfdf68c2f0691114fcf5fc1436d81ec0254145f85f2b4166a3c589dd29b58cf9b19ee
SSDEEP

6144:b9OUGWO3I1zDqVSyJTEO9sabxuQbrSA6HVN+k:bsUDy9dxukSUk

Score

7^/10

persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

A_v_DVD.dll°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exeservices.exeA_v_AuTo.dllservices.exeA_v_AuTo.dllservices.exeA_v_TT.dll

pid process

1312 A_v_DVD.dll
2864 °³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
1136 services.exe
3000 A_v_AuTo.dll
2412 services.exe
1508 A_v_AuTo.dll
1800 services.exe
1944 A_v_TT.dll

pid	process
1312	A_v_DVD.dll
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
1136	services.exe
3000	A_v_AuTo.dll
2412	services.exe
1508	A_v_AuTo.dll
1800	services.exe
1944	A_v_TT.dll

Loads dropped DLL 31 IoCs

Processes:

1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exeA_v_DVD.dll°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exeservices.exeA_v_AuTo.dllservices.exeA_v_AuTo.dllA_v_TT.dll

pid	process
2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
1312	A_v_DVD.dll
1312	A_v_DVD.dll
1312	A_v_DVD.dll
1312	A_v_DVD.dll
1312	A_v_DVD.dll
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
1136	services.exe
1136	services.exe
1136	services.exe
2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
3000	A_v_AuTo.dll
3000	A_v_AuTo.dll
3000	A_v_AuTo.dll
3000	A_v_AuTo.dll
3000	A_v_AuTo.dll
2412	services.exe
2412	services.exe
2412	services.exe
1508	A_v_AuTo.dll
1508	A_v_AuTo.dll
2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
1944	A_v_TT.dll
1944	A_v_TT.dll
1944	A_v_TT.dll

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3000-78-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/1508-102-0x0000000000400000-0x0000000000415000-memory.dmp	upx
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	upx
behavioral1/memory/3000-119-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/1508-139-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/3000-148-0x0000000000400000-0x0000000000415000-memory.dmp	upx

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1944-128-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	vmprotect
behavioral1/memory/1944-150-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

A_v_AuTo.dll

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe"	A_v_AuTo.dll

Drops file in Program Files directory 15 IoCs

Processes:

1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exeservices.exeservices.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\services.exe	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\services.exe	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Au_ing_Code.ini	services.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Au_ing_Code.ini	services.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

A_v_AuTo.dllA_v_AuTo.dllA_v_TT.dll

pid process

3000 A_v_AuTo.dll
3000 A_v_AuTo.dll
3000 A_v_AuTo.dll
1508 A_v_AuTo.dll
1508 A_v_AuTo.dll
1508 A_v_AuTo.dll
1944 A_v_TT.dll
1944 A_v_TT.dll
1944 A_v_TT.dll
1944 A_v_TT.dll
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

services.exeservices.exe

description pid process

Token: SeDebugPrivilege 1136 services.exe
Token: SeDebugPrivilege 1800 services.exe

pid	process
3000	A_v_AuTo.dll
3000	A_v_AuTo.dll
3000	A_v_AuTo.dll
1508	A_v_AuTo.dll
1508	A_v_AuTo.dll
1508	A_v_AuTo.dll
1944	A_v_TT.dll
1944	A_v_TT.dll
1944	A_v_TT.dll
1944	A_v_TT.dll

description	pid	process
Token: SeDebugPrivilege	1136	services.exe
Token: SeDebugPrivilege	1800	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

pid	process
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

pid	process
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
2864	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

A_v_TT.dll

pid process

1944 A_v_TT.dll
1944 A_v_TT.dll

pid	process
1944	A_v_TT.dll
1944	A_v_TT.dll

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exeA_v_DVD.dllA_v_AuTo.dllA_v_AuTo.dll

description	pid	process	target process
PID 2040 wrote to memory of 1312	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2040 wrote to memory of 1312	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2040 wrote to memory of 1312	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2040 wrote to memory of 1312	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2040 wrote to memory of 1312	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2040 wrote to memory of 1312	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 2040 wrote to memory of 1312	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_DVD.dll
PID 1312 wrote to memory of 2864	1312	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 1312 wrote to memory of 2864	1312	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 1312 wrote to memory of 2864	1312	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 1312 wrote to memory of 2864	1312	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 1312 wrote to memory of 2864	1312	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 1312 wrote to memory of 2864	1312	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 1312 wrote to memory of 2864	1312	A_v_DVD.dll	°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
PID 2040 wrote to memory of 1136	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2040 wrote to memory of 1136	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2040 wrote to memory of 1136	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2040 wrote to memory of 1136	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2040 wrote to memory of 1136	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2040 wrote to memory of 1136	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2040 wrote to memory of 1136	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	services.exe
PID 2040 wrote to memory of 3000	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2040 wrote to memory of 3000	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2040 wrote to memory of 3000	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2040 wrote to memory of 3000	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2040 wrote to memory of 3000	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2040 wrote to memory of 3000	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 2040 wrote to memory of 3000	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_AuTo.dll
PID 3000 wrote to memory of 2412	3000	A_v_AuTo.dll	services.exe
PID 3000 wrote to memory of 2412	3000	A_v_AuTo.dll	services.exe
PID 3000 wrote to memory of 2412	3000	A_v_AuTo.dll	services.exe
PID 3000 wrote to memory of 2412	3000	A_v_AuTo.dll	services.exe
PID 3000 wrote to memory of 2412	3000	A_v_AuTo.dll	services.exe
PID 3000 wrote to memory of 2412	3000	A_v_AuTo.dll	services.exe
PID 3000 wrote to memory of 2412	3000	A_v_AuTo.dll	services.exe
PID 1508 wrote to memory of 1800	1508	A_v_AuTo.dll	services.exe
PID 1508 wrote to memory of 1800	1508	A_v_AuTo.dll	services.exe
PID 1508 wrote to memory of 1800	1508	A_v_AuTo.dll	services.exe
PID 1508 wrote to memory of 1800	1508	A_v_AuTo.dll	services.exe
PID 2040 wrote to memory of 1944	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2040 wrote to memory of 1944	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2040 wrote to memory of 1944	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2040 wrote to memory of 1944	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2040 wrote to memory of 1944	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2040 wrote to memory of 1944	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll
PID 2040 wrote to memory of 1944	2040	1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe	A_v_TT.dll

C:\Users\Admin\AppData\Local\Temp\1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aae227b0f58c80294d1ed62a69bdd51_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
"C:\Users\Admin\AppData\Local\Temp\°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864

C:\Program Files\Common Files\Microsoft Shared\services.exe
"C:\Program Files\Common Files\Microsoft Shared\services.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Program Files\Common Files\Microsoft Shared\services.exe
"C:\Program Files\Common Files\Microsoft Shared\services.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files\Common Files\Microsoft Shared\services.exe
"C:\Program Files\Common Files\Microsoft Shared\services.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
11.1MB

MD5
03ecec54d4be5767585ae751b87bb4ed

SHA1
f7556dc5a816cd49a489d6f73af663f92ccaa965

SHA256
60e19ae668270d6515e1903ecb166219ea026949ecfa87fa1dc142c2ca98922f

SHA512
7966855a29ff8ccd5f1e3c4ee065792f5fe62675b0e121614faf796a20beb35cd9ff549a7e1b5f7455534667e7a02b9651e4b65d15440826c7c73abcdc0de56e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
11.6MB

MD5
e836d1f949145e76ffc6a4ec8a8b29a1

SHA1
1bae20ca14fd997137112ef37c7b2118c520d74f

SHA256
704af552c78e34fdeb1dcfd401f356e98a0444ce7ad64d84418efd690c379e39

SHA512
df7369a6d6816c9c9657b21f59bbb7262b9d48f5c2d05700545d0f82d90f36a8c924aa2a951520c99db0c0f24999b0f556daf163ed2a7030008331850bc82242

Download Submit
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
10.1MB

MD5
600e672cbbfd0ff1d479cd50209b685b

SHA1
4c9ad4856d3362426f34494dd157c734d4c68569

SHA256
7017d59abf01d3c5dc9c0c38624cd6b002c75bfe11b2df279c2a350f646ff5aa

SHA512
78c92a57ae278c981440baa7209b860d71c4cec343c6d25aa9c4763e9c8d6b95ec66179455fd7acdb5f04b12412558ab90981c9e7861d432397f4253550a5a26

Download Submit
C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
11.2MB

MD5
83c42e1463e97035e4058a9e54e4f885

SHA1
144a432b61348f5a3898703c2ff104dca19aff32

SHA256
997e844c86332b8c44a6b38ac804aa82d596415721a8dc34d51a1ddd62873051

SHA512
823f95f931fbcc78359e0d919a03c553ff8e6f8cafc4ebc54b14d933926a5b6449f20be4b85945498253fe8e6f9910d624efd68c88cb834fa72741199b213037

Download Submit
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
10.4MB

MD5
8cb4244d145c7eeda5ea73bfe18bd906

SHA1
e028dd1773e1c9f6d620659b56f26f12e9e87509

SHA256
d837c292219688321b9d26c48406e9024a63a8342bca9faf47461f12731d256a

SHA512
2c8af6e5fcee9906a6e7eeb1964d303dc9d434a58d79a46b8b0596372d53eb07fcb5f7f957560cad776d40405135403782142865c7fcbf71522954dbe4a2cdb9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
10.4MB

MD5
83eee92a9b2708f73802ef10e0dac8e9

SHA1
c000b9bb1957ed3b222e42759313816b67ef13d2

SHA256
61eaad449c3ed8926557967048a807430a7ff6846642fc03c950fe3ffef59898

SHA512
bcab4d7c696d9639a40eadcc63c1d0e716fe2dc3201d05054da16a9ce7df439fa4f04e30f2ae443447f2c8992781ebf5d21e2a650b55d8b4bf09bd394af5ccce

Download Submit
C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
9.4MB

MD5
75d8d1c21377c797ddbc117963504589

SHA1
da49a670c89de2eb61aec25423db38fb3d4ab105

SHA256
dd94628207855c3d2507f73a8e9dff249a89964a128a7f8bc24e119241510016

SHA512
f80236b9d3092691f23c78e2ec9507801db61937884f6b38966acfc3eb2b56994e7bc62a91e26a1a33d9eeae1fa1e84dcba797967f081a0b339b3cb82171e061

Download Submit
C:\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
11.6MB

MD5
17f352973f3976c49d9fb13132efcf51

SHA1
eb30cfa68720590f823bce6e2466f201e8a62f12

SHA256
c7692b61f25e6f4c74609a0052e042a6ddd55f1512ea9ef2377e9d03f3655841

SHA512
2e456bdc5a9b7db1be403f273b3f18489ce930cbfd4d319e782c6421072ae3fe8b8c090b5ade22f3f38f76f55ee0ea1ccc7d769a17e75e34570b1ffc22bb8254

Download Submit
C:\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
17.6MB

MD5
bb7a83f7f8c09462e2bda3d30d455751

SHA1
fc215640c76e3e57fdb6a305771188b2525d5428

SHA256
6050866b383895efc7ee1d60330b90c09e96b48a09959c2e5a72bfc445d27610

SHA512
0552b48cc1f1090b6e2c90f5edddd0afe8cdfb91eeecb46689a85981301cec3c0700e9eb7dccff94ce420002901bf6d4c4af0d554ecb7908cd0ccf113d4bc921

Download Submit
C:\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
17.9MB

MD5
f299536fba46ccdc679e735467c65626

SHA1
3c023455548591ab244f40081479c1503c77645b

SHA256
2fd24630aec980360a4e1829ec446d262f669a7e5a2182af8c55843585c571c5

SHA512
dad92285cf295ea686df76a9c59d2504d7d48afb00e9e723526c12d0a17bc230a52c882e4c195772678d47dc358abe408cda3d67ea77eb006e701955b2694ad0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
18.0MB

MD5
492128f3593660eb05b535ff829d8670

SHA1
624103b10ad089ab27c36905c5f936acd4fdf3c2

SHA256
070a00f42932cea6ce0d2999f83816d761fc647cc26e782e25b0fbe095b8f0e6

SHA512
dbd806493172f0cab0de8d7ac3bc528018444ddf85c35b2bb1a5a237118cff7783cbce9af11aa879d62208d76bca0d5e409ac9d73832487a01bd51c42bd9be16

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
11.4MB

MD5
1e0f90c6a2602b4d876db872058db468

SHA1
b502ab9b59cf21451e97ab04d70038f35ea781d0

SHA256
123e3c4b0ecd7ba90637ce25d738c8618a2483a1b6118f5d9ff4f5eb58e74ab5

SHA512
60767787251d2894b5c77824923579376676857ab6cba62d69ae261c9ae85e527e1125d163265aa46fbd8f4842bc541022e2abdddde917a87b57ba4eacc8d757

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
10.9MB

MD5
af0037dfc2cb14b817eeaf0ccc1d144d

SHA1
07b2e03ef37a2da16e6834083c6a62e58e406650

SHA256
f9e9ba9869f90d25f0e609ea5da467cd05631a33422b90574970fcfb34c03902

SHA512
0f5cd0edfb3e847993f55ae3ab2a9a786804823c306a7a0ef9303ed1caf6a429bd1ea0f89a81448b9c02004bb55b1dd5c5af4e7e0b200e2a5acb1db95b0646ab

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
11.1MB

MD5
c22d3daef85f91287ee0cf693fad4d3b

SHA1
79fc579420578cb9373d512f63f88514ed04eee2

SHA256
07ebf367b2f0c1acec8cc663e4d217c441ede4af374d686d0668908b8bafd345

SHA512
a08d240b209cdb9dd6067c037dcf493dca1b9a88fac9c66d5d3a1d4461b043a84911bfcce24a78ba0e10ff4c3a6425d5b58c339308dfdcd9ea7b0fb55d84f524

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
11.4MB

MD5
68c2d05c9e8ff1f82f1329c33c1c5861

SHA1
3f97dc7a183c37669ad3a7d05856f139cc6b4295

SHA256
a38d8d7afc21b02dbe8a09ad421816927094514aff11dba340fca037146709f0

SHA512
2ed7bb3285ca9b0edccd769678b1e3a5cbea3a79cc8ab2fe40903943348bf356e74fa3be676c2c8f98facff6d4a278b366e19c2e629bb8c60cb2128db3b2a49b

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
Filesize
11.6MB

MD5
b152a6a4e1efe1c32069fa74f843de77

SHA1
4d8ddecad493fba7328d3a4d75e48f46022f1de6

SHA256
3264bab59a0fa82a07c8b33e7d6987d7182a50b70fb0b0917048df7ffb19334c

SHA512
424b8029662171de7e5923ae14425686350da7c91189099fd4642d9005b624d785608ddfa71b7c5935a35a591f1d096e8258e8dad09391e25f5c7edcb3ff9042

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
Filesize
606KB

MD5
3954a59a8277860ddf499dc678f04332

SHA1
0d2002095d32ff3f6e8121594b37c5df4ca5c954

SHA256
af40b7904111abc6d178d61ea46d5aee452c38dc06246352824658334c50cb9b

SHA512
313754aa35f761400674456ee1fa0f47ecab068c0dbd9c8fad9f40e45cd9a03f5c6f8550a44662993b54aee75acab1f35d1c459d2656c4ab25a930a681d87200

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
10.6MB

MD5
4afef175f0a24b9e6d4d27936b8cfe47

SHA1
ee9cbc3a44342a8d10b71d9ccfaa890c10997c4b

SHA256
aa9df1b7cb2a1541e7cd0dd8ce3a861e136c78afbc47b7bc674da7659c6b3c6e

SHA512
e24accba990841d901da4684aae1a0b2baacc953cab5cefdef6116ab457f0b1dd3b1663a9ab25127c1d7a87a4dabbab1acdd0b5de9264926ec879c38287e1679

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
9.9MB

MD5
ed9f722acd844c5c745c2b5a00ed2da8

SHA1
b844fb2b95203b7ff370388fb45c1aad7e6b58f9

SHA256
4adf70331c5a3acbb626aaa3dfae3c0270f6bc4823d5a09af074eff3c34de13d

SHA512
dc116f3a7edc1181139fa11d0e2509de076db393fc3a4835c5e7ad6164417cf295cab861db3e576d4737a20cae1d3e38e5437e32657f8b0e15312fd233f34b8e

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
8.9MB

MD5
428aa917536daf9f62027de4de2c2f24

SHA1
f9187e29b2b8f18de519e8c28bb89642ba938282

SHA256
ef4cdf609111bedba02180ffb2936b46b0bf34e2a945c2232b2bdbbb1d50f7b2

SHA512
7493bfc55ab0708a30a332aa1cbdaa73c4fb55d3bb5eddba591d35a96eb09d4b8d9d49b93f125bf73dd660fde05161698cdab71c3a76e153bf1d4990a1135cbe

Download Submit
\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
Filesize
9.6MB

MD5
56519d6ab88c44b2ad60896f25529d6e

SHA1
0abac7b5c955cb36ea0327313436c98e3ca4c904

SHA256
e4947c6522701cd46a2b56e2ffce7fa96cca6a2123163d1b41baa605a73860d8

SHA512
cd9393620f388f3ff51363102b8dfbb08aca3f4d537f84ee78dfb4c59462877614706cad52d40db76807f63d9fddc10cfb0528784722518686c6c68858f3df6f

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
11.4MB

MD5
bbbde281b2f514be717ada79a3b52c24

SHA1
d73d2cfa0696c6886b2685d1470d0b67cbefbee1

SHA256
9047a889a20929805f8fd40d20aba50afac38bb1fc2addc2c8d9929413637db7

SHA512
f7911d8a1f97f3fb1e31a564328f3844d86cd8007dfb79e78bfdc694cedc724f00f6194467605f1c13b5f1f151175b06ff257f76565047eb6689a0150617f310

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
18.8MB

MD5
55ae1b9e7b5aac306ef79bc8e1c5694b

SHA1
cbd531e28dfdcf587b85762fc3fbc97e63fd7c0e

SHA256
d4d20174b8838f775fcf3dd0cc302d0fc1f18cbef7207fd39d8aea84647f425c

SHA512
ca5d95d1ec73f9e5b2f20cd6148b94cd99db2c98549a53d12defd3c310eae26c844d9f799c0931105e7c367315af40edad4c8d71e7c4459facc9381291e9c773

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
18.2MB

MD5
7c62c8fff62b94b0975bb626ddff2ff7

SHA1
7d34a5464517dba75c3be77e72df682c426156a0

SHA256
134a64540c8971d066a6e1433727a12b7cb7bc58f39a060d4443fd5c0a0cab67

SHA512
65319cd02b392bde45b709fd9aa2855d3a010579e286b0d812e96a57891459fc3612e509808cbd130c6649f7e3c83b0a26d27b8dde2e74c3f7f60bfe641f7dbc

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
18.5MB

MD5
b9596182de94fbab6cc71fa195737608

SHA1
743f5a39613ca3571ee74b865941b7fd082c56fa

SHA256
681c6409d59880794b016ef2868e149c977054ea901c2ccc800997abbdf80530

SHA512
5d0a74abab05c00371e0803be10af4d47ae8747cc1f37bf5887b4bcce8076c65b94399e909b142381ce00bb3ed46924b12365d436086ef286b028b50c15bf7c8

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
18.5MB

MD5
53c8fbffdac9b1bc63c6f16af2e7d0d1

SHA1
bc027725a42cda8d453342a9cd1f3a48f41bb5f1

SHA256
e35047557afa215559cd04230a2de16c294bffbcca1a6878d2246b0ba19ef180

SHA512
7c6682567ee665ae4b8cec51cd2f24b75e8314c8289d7cb6e3e41f0d13356fa2e9a88b0c73abede31af369b7301bd3fb5f86a6c8a040b950615ae3f30bac566d

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
17.6MB

MD5
c15507867faa68605f0a94a30a9ba953

SHA1
379db832f9a9fe04079ab7011131da43fac71c4b

SHA256
d416bd5bf1fc9ea1d15dd5f34f76601b19fdf645b2819ffbd1b82fda143ae31f

SHA512
51105632bd4e46dc9bf9ab2a635f57f2e6fb6d3e5a86d3eb9accb21889e04b7e28c876f08f331f46335916a00d12edec8b527facf3b0feea1825f6f54cf8194d

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
11.1MB

MD5
a047b0508b29e1839070fe04dea73749

SHA1
99a12a2e4c0ea1fcfdf5af8349356a0e6291cdce

SHA256
c612953e591c1a0068515bce41c2baf4459da6c4273574386afed8f79607dfe5

SHA512
ba3b6e71d93f5969daba6ffb5cbf6e4b7fd728d675dc59a378d4d4ce289d074e3d0b26dbca908457d4be2ad1975bb8764f2933cd711ba217b7b9a6c58c14c8dd

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
11.1MB

MD5
df94ce147094ab3e5ec75f513f2774e2

SHA1
347ddf83b7cec550808bc457ce6c4f37356e66b0

SHA256
532e3cfb29e58930da83e287e30dd12b0dbc7c007bd6b19968f20636f908e74b

SHA512
6f5b90bba9e7b501063742ffe8371caf2d7845455d16c4eddf636f82001697788737ae6ce82ef533ddeb5f1bf66f93d39b06e7590973d9bd352053a2b8677f51

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
11.6MB

MD5
3e1db9201b84a4104f203037d3221173

SHA1
9a77f2be3f837119f6722136268f5a53bed09caf

SHA256
b47e00df4820fde8494ce9b82310c9865c101af431a6e5bc5b2e67cf4c89cc03

SHA512
7b0b996cad10031b29540d88ef019639c2b2dd9cdc662ca05e683d6856f6b25522dd619ca17793a9951b39e2c978968e5fcfb398e365a84313a5df91ae636186

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
11.6MB

MD5
55a9d485e3189e605e90be32680c11f2

SHA1
a73ae1ec73fe66c0a33246cae8e98996524dd83e

SHA256
4e4136961208865f2fad26857f4870341a6e2c84276b42c1a2cbb52382d1e3c7

SHA512
b100f6671d44002aef28565c1e6b4c73fe41db958ad1f355b17d02b9b0907f60e3db3462a098599f0422c3ae3d76616cf807c962f7166d01160bb13d68028496

Download Submit
\Program Files\Common Files\Microsoft Shared\services.exe
Filesize
10.9MB

MD5
3d1e145f3156d5c7b6f708ab47b3fab4

SHA1
57f2727acc5c101df351a16e4b2aecfbd64dab78

SHA256
ed6aac65d643e5505e7c151d1da99ebefe2e1482c676e7e93ff18ad0df43faab

SHA512
bfc18bcdf326b05c4c2754500c2a5fc38eb8e1d390352430aeb189e7124d53e8f0b14ac47f20b540cb7a66460a8e37121fd8b64ea05c1e91a04dce5f0cd2018d

Download Submit
\Users\Admin\AppData\Local\Temp\°³È¥Ò².exe_B1676DE1A664D9FA186FE0A0E18C2A8D956C8E47.exe
Filesize
252KB

MD5
c160a0cd4b855d9f0e3ff55f82b563af

SHA1
6f92cd78041a1466ec07c58a96c0667185d41ae8

SHA256
e1843a739a6be0a7e4e0ba31fc55aefe4ec67d9ee7050d38f43ce61bef1f1c51

SHA512
f7ee486ff8e2e1fc5e36b6632598b92da69bc0126eb80132bd4a838326d539acfc52fa056a17f0a17de8c1340d2e17c505a4b9117f21d563aa9bf9c9145d5fd5

Download Submit
memory/1136-93-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/1136-59-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/1136-62-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/1136-99-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/1136-100-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/1136-101-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/1136-61-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/1136-54-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/1136-60-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/1312-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1312-19-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1312-64-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1312-65-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/1312-18-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1312-20-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/1312-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1508-106-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/1508-139-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1508-102-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1508-140-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/1800-108-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/1800-107-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/1800-138-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/1944-128-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1944-150-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2040-52-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/2040-133-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2040-2-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2040-88-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/2040-77-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2040-1-0x0000000000230000-0x0000000000285000-memory.dmp

Filesize
340KB

Download
memory/2040-75-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2040-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2040-12-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/2040-44-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2040-111-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2040-115-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2040-114-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2040-127-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2040-46-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/2040-48-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2040-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2412-95-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/2412-98-0x0000000000400000-0x0000000000417A4E-memory.dmp

Filesize
94KB

Download
memory/2412-94-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/2864-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-38-0x0000000003280000-0x0000000003484000-memory.dmp

Filesize
2.0MB

Download
memory/2864-37-0x0000000003280000-0x0000000003484000-memory.dmp

Filesize
2.0MB

Download
memory/3000-78-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3000-119-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3000-89-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/3000-83-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/3000-148-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3000-84-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download