405ede2311ec7558b08d8464154619e0c8a4c8b127f7b1bf0c58e2991cef89d8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe
Size

1.4MB
MD5

189ff8ef5c378f3ef76b0ee74874e584
SHA1

95a3ab2be35ff81f0f819aaff5471735f624350f
SHA256

405ede2311ec7558b08d8464154619e0c8a4c8b127f7b1bf0c58e2991cef89d8
SHA512

f097a2b0b24db355dabec197f40be35db74f0623568ad72b757648ddbd56bd0b96c2d4b6dcbd5b7e1a8d97f22ba1627a97faab0bceffb368366a0f9d8717f070
SSDEEP

24576:MzYXU4fu6HSekwFy7NEAlnM93CIbgddf9EdxEJusZ7XALyYxGUpsAoSptl8z2rAD:lkibHSekMy7NEAuYMNEJtZ7pYseDz8ZD

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3012	install.exe
2788	setup.exe
2936	is-QKLR0.tmp
1936	DVDRegionFree.exe
708	pskill.exe

Loads dropped DLL 22 IoCs

pid	Process
2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe
3012	install.exe
3012	install.exe
3012	install.exe
2468	cmd.exe
2788	setup.exe
2788	setup.exe
2936	is-QKLR0.tmp
2936	is-QKLR0.tmp
2936	is-QKLR0.tmp
2936	is-QKLR0.tmp
2936	is-QKLR0.tmp
2936	is-QKLR0.tmp
2936	is-QKLR0.tmp
1936	DVDRegionFree.exe
1936	DVDRegionFree.exe
1936	DVDRegionFree.exe
1936	DVDRegionFree.exe
2468	cmd.exe
2468	cmd.exe
708	pskill.exe
708	pskill.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DVDRegionFree.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pskill.exe	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\pskill.exe	xcopy.exe
File created	C:\Windows\SysWOW64\sleep.exe	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\sleep.exe	xcopy.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-BVBTK.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-FE417.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-S0R02.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\unins000.dat	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-266M1.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-1QON2.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-JLK9E.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-3SQAD.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-5UO4I.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-NRKC7.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-ON9Q9.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-Q278S.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-F57G1.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-2DIS3.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-R9SIM.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-H2P69.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-R3PGD.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-4Q021.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-2MESV.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-UH4K7.tmp	is-QKLR0.tmp
File opened for modification	C:\Program Files (x86)\DVD Region+CSS Free\DVD Region+CSS Free.url	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-5FVEN.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-KRHOG.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-J0LKJ.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-18O6Q.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-QDM6U.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-KD0PC.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-8IDUS.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-8477V.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-CBD1B.tmp	is-QKLR0.tmp
File opened for modification	C:\Program Files (x86)\DVD Region+CSS Free\unins000.dat	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-FOHB5.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-FKMQH.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-VVA1A.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\is-VC7VK.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-J64RA.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-4ILA3.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-06O4D.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-EJJGL.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-9POSN.tmp	is-QKLR0.tmp
File created	C:\Program Files (x86)\DVD Region+CSS Free\Language\is-NBH45.tmp	is-QKLR0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\ = "DVDIdleShell Class"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\VersionIndependentProgID\ = "DVDShell.DVDIdleShell"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\0\win32\ = "C:\\Program Files (x86)\\DVD Region+CSS Free\\DVDShell.dll"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DVDRegionCSSFree	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.DVDRegionCSSFree\ = "DVDRegionCSSFree"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell.1\CLSID\ = "{93994DE8-8239-4655-B1D1-5F4E91300429}"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell\ = "DVDIdleShell Class"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\ = "DVDShell 1.0 Type Library"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\FLAGS	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DVDRegionCSSFree\shell	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell.1\ = "DVDIdleShell Class"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\InprocServer32\ThreadingModel = "Apartment"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\FLAGS\ = "0"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\HELPDIR	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.DVDRegionCSSFree\shell\open\command\ = "C:\\Program Files (x86)\\DVD Region+CSS Free\\DVDRegionFree.exe \"%1\""	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\0\win32	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DVDRegionCSSFree\shell\open	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree\DefaultIcon\ = "C:\\Program Files (x86)\\DVD Region+CSS Free\\DVDRegionFree.exe,0"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell.1\CLSID	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell\CurVer\ = "DVDShell.DVDIdleShell.1"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\VersionIndependentProgID	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\ProxyStubClsid32	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\ = "IDVDIdleShell"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.DVDRegionCSSFree\shell\open\command	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell\CLSID\ = "{93994DE8-8239-4655-B1D1-5F4E91300429}"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\Programmable	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\ProxyStubClsid32	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree\shell\open	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\TypeLib\Version = "1.0"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree\	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree\shell	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell\CurVer	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\TypeLib\ = "{90406970-83F1-48F2-9226-3B09DE3F0E6A}"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\0	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\TypeLib\Version = "1.0"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\InprocServer32	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\InprocServer32\ = "C:\\Program Files (x86)\\DVD Region+CSS Free\\DVDShell.dll"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\TypeLib\ = "{90406970-83F1-48F2-9226-3B09DE3F0E6A}"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\TypeLib\ = "{90406970-83F1-48F2-9226-3B09DE3F0E6A}"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree\DefaultIcon	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\TypeLib	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree\shell\open\command\ = "C:\\Program Files (x86)\\DVD Region+CSS Free\\DVDRegionFree.exe \"%1\""	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell.1	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\ProgID	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93994DE8-8239-4655-B1D1-5F4E91300429}\ProgID\ = "DVDShell.DVDIdleShell.1"	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90406970-83F1-48F2-9226-3B09DE3F0E6A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DVD Region+CSS Free\\"	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\TypeLib	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\TypeLib	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDRegionCSSFree\shell\open\command	DVDRegionFree.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVDShell.DVDIdleShell\CLSID	DVDRegionFree.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBD15064-BCE7-4488-9124-B9433BF3882B}\ = "IDVDIdleShell"	DVDRegionFree.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2684	regedit.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
708	pskill.exe
708	pskill.exe
708	pskill.exe
708	pskill.exe
708	pskill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	pskill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	DVDRegionFree.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 3012	2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe	28
PID 2432 wrote to memory of 3012	2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe	28
PID 2432 wrote to memory of 3012	2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe	28
PID 2432 wrote to memory of 3012	2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe	28
PID 2432 wrote to memory of 3012	2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe	28
PID 2432 wrote to memory of 3012	2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe	28
PID 2432 wrote to memory of 3012	2432	189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2468	3012	install.exe	29
PID 3012 wrote to memory of 2468	3012	install.exe	29
PID 3012 wrote to memory of 2468	3012	install.exe	29
PID 3012 wrote to memory of 2468	3012	install.exe	29
PID 3012 wrote to memory of 2468	3012	install.exe	29
PID 3012 wrote to memory of 2468	3012	install.exe	29
PID 3012 wrote to memory of 2468	3012	install.exe	29
PID 2468 wrote to memory of 2684	2468	cmd.exe	31
PID 2468 wrote to memory of 2684	2468	cmd.exe	31
PID 2468 wrote to memory of 2684	2468	cmd.exe	31
PID 2468 wrote to memory of 2684	2468	cmd.exe	31
PID 2468 wrote to memory of 2684	2468	cmd.exe	31
PID 2468 wrote to memory of 2684	2468	cmd.exe	31
PID 2468 wrote to memory of 2684	2468	cmd.exe	31
PID 2468 wrote to memory of 2800	2468	cmd.exe	32
PID 2468 wrote to memory of 2800	2468	cmd.exe	32
PID 2468 wrote to memory of 2800	2468	cmd.exe	32
PID 2468 wrote to memory of 2800	2468	cmd.exe	32
PID 2468 wrote to memory of 2800	2468	cmd.exe	32
PID 2468 wrote to memory of 2800	2468	cmd.exe	32
PID 2468 wrote to memory of 2800	2468	cmd.exe	32
PID 2468 wrote to memory of 2820	2468	cmd.exe	33
PID 2468 wrote to memory of 2820	2468	cmd.exe	33
PID 2468 wrote to memory of 2820	2468	cmd.exe	33
PID 2468 wrote to memory of 2820	2468	cmd.exe	33
PID 2468 wrote to memory of 2820	2468	cmd.exe	33
PID 2468 wrote to memory of 2820	2468	cmd.exe	33
PID 2468 wrote to memory of 2820	2468	cmd.exe	33
PID 2468 wrote to memory of 2788	2468	cmd.exe	34
PID 2468 wrote to memory of 2788	2468	cmd.exe	34
PID 2468 wrote to memory of 2788	2468	cmd.exe	34
PID 2468 wrote to memory of 2788	2468	cmd.exe	34
PID 2468 wrote to memory of 2788	2468	cmd.exe	34
PID 2468 wrote to memory of 2788	2468	cmd.exe	34
PID 2468 wrote to memory of 2788	2468	cmd.exe	34
PID 2788 wrote to memory of 2936	2788	setup.exe	35
PID 2788 wrote to memory of 2936	2788	setup.exe	35
PID 2788 wrote to memory of 2936	2788	setup.exe	35
PID 2788 wrote to memory of 2936	2788	setup.exe	35
PID 2788 wrote to memory of 2936	2788	setup.exe	35
PID 2788 wrote to memory of 2936	2788	setup.exe	35
PID 2788 wrote to memory of 2936	2788	setup.exe	35
PID 2936 wrote to memory of 1936	2936	is-QKLR0.tmp	36
PID 2936 wrote to memory of 1936	2936	is-QKLR0.tmp	36
PID 2936 wrote to memory of 1936	2936	is-QKLR0.tmp	36
PID 2936 wrote to memory of 1936	2936	is-QKLR0.tmp	36
PID 2936 wrote to memory of 1936	2936	is-QKLR0.tmp	36
PID 2936 wrote to memory of 1936	2936	is-QKLR0.tmp	36
PID 2936 wrote to memory of 1936	2936	is-QKLR0.tmp	36
PID 2468 wrote to memory of 708	2468	cmd.exe	38
PID 2468 wrote to memory of 708	2468	cmd.exe	38
PID 2468 wrote to memory of 708	2468	cmd.exe	38
PID 2468 wrote to memory of 708	2468	cmd.exe	38
PID 2468 wrote to memory of 708	2468	cmd.exe	38
PID 2468 wrote to memory of 708	2468	cmd.exe	38
PID 2468 wrote to memory of 708	2468	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\189ff8ef5c378f3ef76b0ee74874e584_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt7354.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S register.reg
      4⤵
      Runs .reg file with regedit
      PID:2684
  - - C:\Windows\SysWOW64\xcopy.exe
      XCOPY "pskill.exe" "C:\Windows\system32" /y /i /s /e /r /v /k /f /c /h
      4⤵
      Drops file in System32 directory
      Enumerates system info in registry
      PID:2800
  - - C:\Windows\SysWOW64\xcopy.exe
      XCOPY "sleep.exe" "C:\Windows\system32" /y /i /s /e /r /v /k /f /c /h
      4⤵
      Drops file in System32 directory
      Enumerates system info in registry
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      setup.exe /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\is-5PBU2.tmp\is-QKLR0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5PBU2.tmp\is-QKLR0.tmp" /SL4 $3019C "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe" 939957 52224 /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Program Files (x86)\DVD Region+CSS Free\DVDRegionFree.exe
        
        "C:\Program Files (x86)\DVD Region+CSS Free\DVDRegionFree.exe" /install
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pskill.exe
      PSKILL DVDRegionFree.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\DVDREG~1\Language\DVDIdle_ARA.lng

Filesize
7KB

MD5
6d1391052c90274ada6ba630ac100a58

SHA1
bb5fa9f3abaf5d37118536ee52082cde5325278f

SHA256
5eafd1b4d54fd77f43ee984e6d9a7d3838136be5b2471ce8b0498defa327977f

SHA512
165c8b5234cd26110fba0d892af441033633af604871c9055318ae335f753c995ae43784e8ac274203a38443662b886c7ada02950beb4bfdda0c95520847b9a9

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_CAT.lng

Filesize
7KB

MD5
1750d346a44972a33799fc189ce0b4c5

SHA1
0fdaa5b0ff6599dc7f9b39f7f56b0456be3f4439

SHA256
0cdbd86ecb4934be0e25f2a226b666e0163366c4598de901a3d065c1bbde8738

SHA512
94a15853588b98de1249180654a34f7e8139acb2d930402fdadcd429e07924bd659214dfdab7c7c69bc98f7e1707e5fa9cf216dcf42fd2b9907d198777ffd3e4

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_CHS.lng

Filesize
5KB

MD5
54c7762e1cb17eb8a9eea47e09acdf88

SHA1
c4ff60e0497a473b80e076045e806ff69e6d86dd

SHA256
9493cbd974e847b1173ea6d1216d993b7acf4e9d6fc1b1a0d5ce868a5ff587eb

SHA512
68ec4524ad9cc1dcdd272d12df6a4b7ea5038d9f6af199565c8208b1787729f37a8baf7f66185de24e2e95d12d32db41fafa3c563dd3f3e2f6bb8ade18eb1957

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_CHT.lng

Filesize
5KB

MD5
73d46adfbcf9756d0d5d59b6791f166c

SHA1
234f3cdb103d0d64156fc28e5eab3123ad4eb951

SHA256
f93f1b517c6ce8d3ccd0317a2e3ac15038d49beea61bb4a1d9a69effcdec7a30

SHA512
5a5a1087a48fb5d8380cde8d9e6590c0dd2a78e5a5043ab2fb5261227a3b8a481e100e354f0f6c01b98430b97818ac5328b8315e5ed7154ff9936d7acb623f8d

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_CSY.lng

Filesize
7KB

MD5
97a3c3fa5096548758acd73d2643dfc8

SHA1
c92384d7eb1f087757dc16c6fabf52979ec0fd21

SHA256
48307d2e85b0afd552252a88ab3e5fae1f199202bff430bd22361cb0407fa259

SHA512
8a8e9bbba029eb8e6b6e49017b29fcba6966df3dff1f2d45bcec1f5f29a7a4c78ac1d637e5c09f6133367ea329c60bbc148336c889ed918cc5f94a349cdb2438

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_DAN.lng

Filesize
6KB

MD5
f2d7763992669afd1b14cd440df44bc2

SHA1
419f5f6e56686efcb084b2aef8b3494441bae1cf

SHA256
bbfcda985380df5d99543de81c69c617c5b2a41bb2452f7c6693efae477ccbcd

SHA512
c8adb7269cfab37cf8b964593acdc74240689193330fe159e53d8f43689734716d96e1a29d2dcb2b31b6719310390678ba8927bce890fc659e4ad05b31a35282

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_DEU.lng

Filesize
7KB

MD5
14a8980eb60ce62063dfcec9364bfa81

SHA1
d6a6a006528000a295d70577581c35392b41f16f

SHA256
52eb02d381400a07ec80ab70abcc1dc6a8f5003d5af95a515a27a4c0ef4da9df

SHA512
b475c3ec84f4e74b29d6fe9e693b96428d03402ab241bdc5391f76a2b6ffbe38bbd1fa94c5c6e832b9ab836c797c16a0452e172a1b4d4d160f3287d2f06d74ce

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_ELL.lng

Filesize
7KB

MD5
ef8599d0680e58edcb62590d92fa7a12

SHA1
40672679f8c381d3aabd3ff48c56c47aba5c3e96

SHA256
f703def96a5e40a01333920bc16875da2a4e22559fdd08e90729e077f70291d0

SHA512
220df73a8e4ea6067ea36ffa780b83aebb216f535e428e94eec5c56eb7c8095e2ecdc174cf6646855aa4fc00138926a16ecd3a1f822fd429f64b5159917dfe0c

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_ENU.lng

Filesize
7KB

MD5
971f6c0905a33c288ed8f941d46a630c

SHA1
35d40960e6939708c8806a0140dcd9e9977696a1

SHA256
517c38cf02e0feccb49a1d9e4c5fab7868315798e0f4e5780b36c0ecab2682f6

SHA512
7a354be17cfc8a1757c8662b6e84c7ddb73e69d3128a61340b7f1ec5ae5ae496a8fc5e1ab924da03cd4041fc4a9c579e82767fc84e0273d9218808276902e7f9

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_ESP.lng

Filesize
7KB

MD5
92798d2099a87e1120ffacc2c2e9380e

SHA1
dcf3ed9fc120b8e7c7460d694aaaf9f726e514c1

SHA256
faf0579de441da165f5116e02876b830acdcd463adf2447992e03d2b2e92b7a1

SHA512
34b8605c19c3356821bc770a06b031c81b4693a0ba5fe5ca9e1d84bf94fe588da5f91face2bb4024152a94e2ef5246abcf58892abd8bab3350fe7b0521746ae2

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_EST.lng

Filesize
7KB

MD5
5fd16553269f5d759d3d12109f5cb238

SHA1
215bbd15ab0ed20b350cc1cddb9a180aa28c780a

SHA256
45602ce3193f88e83605ed62bab08d716c1ab7749280cefedfbad85508bc2545

SHA512
3ea96bbd2b73120195eb981c1e4fe7128fe5faf5085b1f051217bacb76bdb10d7db6856a4454c79bb952c34820233d9eff704ca54b94d4b9581c07569c8951aa

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_FIN.lng

Filesize
7KB

MD5
45f313daa89ca5b03b79d3b762b393b2

SHA1
4ea9c626e4d2b1f9b5f57f1fb030b4b9d3370432

SHA256
eacdf59adc2f8b4cac785d84f4161fed759940dd50c02998f3efa5d11f28a8c0

SHA512
5438e46e9a017c77be66549222b8b06a7b991de7b0260305279bb1e98957983af5625cbcb0e2f462f78491f130a3eb9e0ef2718ce542597e70fdcde9dd15dfc4

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_FRA.lng

Filesize
8KB

MD5
44d51c50757beb435463b90c5223d465

SHA1
b0f7cf70c3a6db0366cfc02041da21ac4560ab6d

SHA256
a51bec26462710a790fe21c5a52b574a90c7ac2735d3d77853a0db8964b3c496

SHA512
2a8119d3e0b4b9983db8061466cd3e6808de9da1248f9671c5a5e2b8418b6c59f256271f704f16121595a973b3524241381d9a305de05c788736b9fe09615cd8

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_HEB.lng

Filesize
5KB

MD5
a709c02d5e914494fa00480b883bae83

SHA1
00000425c3c2ba8b18d9b295327431c546889693

SHA256
a137685a766505cd09538c306c9467effdc820b75729e033cb064a495a4d85cf

SHA512
8e3bddfe0510ff895b589aa82cbcc7625e398f46810b6343e59a32f9474975912c0cbd862956ec6375731347a4cdd996df4baa4b88455505e6d8eae3517b5fb6

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_HUN.lng

Filesize
7KB

MD5
a73a6e9c3fd495df6e2b3095cd78aaaf

SHA1
3515073a0dc06fb4a135ff36d4e0190f853cf435

SHA256
351793cc3352a36259169c39f8c8cd18109e381437b94881144255b03770b063

SHA512
9683d7ccbbaae09da703d224e88fc8be01c37934e204eddc99b152d0c5cc620a125a3b269cf64ea7bc08a1cd5f7dfcb66c6899e45e26b356ac02872a1093c720

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_ITA.lng

Filesize
7KB

MD5
4e63de058ff742c1f3c027297f3b15ec

SHA1
85b86b50cf61a9f72cb3c6416b2476d60ac3b6de

SHA256
b47c4fffb3d4b0d92b1798e108e4259b9d6659daaa06b90276a9c05d57d11b64

SHA512
9cfdcc35a0d18f1ff02f57e79c2d512c08925ea600a047bb8afd75a3e20636a4bb47a54ff089af630ec5d8cbf8b8634e38735cad78c1c31284377adc4290156f

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_JPN.lng

Filesize
6KB

MD5
55324feb9d5baf1df05d663be9ffe796

SHA1
c75e60e92a813bfeaf0cda2333a22db4bdfc8bc6

SHA256
d77d06ab5081d3f352ce3723ffc37606a22265d177feb8b3f8fc309fe50bb4f2

SHA512
e3fa0b63a9c5c49be2c1a4a38f3591f0d01ea87d1c7a503c3aaf5b180954b7fc02f5aac1b55541e1c715f98e390d859ad677702a50a54e8a900a83181b35c341

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_KOR.lng

Filesize
6KB

MD5
2d9645f2032b001e608adfc1da849805

SHA1
80d6e1c3d58dfd47cdc365ccfa009b7a252439db

SHA256
16648f55bcc2ffbe65064a1c3f060eadf3c1e58d5399ca955ad1446be7408974

SHA512
670ae6fced2b30195fa1bd35e59a9408dff3001f1514818c50de0a8899584287791159e8042ea4ab7118e9cba071c9fefc8b6be4d258e2beb90ccc2943a74a21

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_NLD.lng

Filesize
7KB

MD5
b68171e12e5662fb2a56ef78f53c984d

SHA1
0a728d89bd7e505d2f05c573c4590df7aaccf105

SHA256
6ee0ffcf12a82f01cb35545d7792c3d2df2633dee1f3764e1de0aa5420504a1d

SHA512
a768daf4f296d971c8a8452da713b3e3c5ed18ab7b2ef564f53081f4078644f559e11387f07f83a49d69a9ec34ee382b36759c4bb2627056addb5075427a9d96

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_NOR.lng

Filesize
7KB

MD5
d42abe40a1990221d88a6271343cbcf6

SHA1
89fa437da75905c1244f20bce808c254a4899cc0

SHA256
03c2daf606ed91dbc1eb0042ba3bb4443d7da606fcc1c8561a2ffec368f741cf

SHA512
d20fcc0ac5c6c7511c41590380a4142a832f9d62bd411b9496cd698541fee2ab13e02e06772e2f6830ec17b831c83567a6c008079298d5d6bf37964f468d52f9

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_PLK.lng

Filesize
8KB

MD5
a61a80c533f1735cc5667fb4455da095

SHA1
0b0ef89b167d1a9d2c4e851a29ec646ea875dc98

SHA256
b37c2722d9810356da916b20a752317994b043b803f04fe3acac555e60bbb476

SHA512
811e911cf319fbf0273f71fb1f85d981d00f59903b62d5b035552ae4813a74c96bd30144e42b0d870b6fde94805f89559dc05eeaa7977702334be0ed69090533

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_PTB.lng

Filesize
7KB

MD5
8830dc9555712d6b61a87455f21e645a

SHA1
9dbcc51822d9184db4c33fd68f82f7dbfbcba89e

SHA256
933d02928df0239c08390846f98841b6fe3b8086ec96ecdd95f53305c3e8a662

SHA512
456b616b4c80f7bf4efce171d4c9644a6ef0d4c4aa13c7ad2108145880380881f3a83f96a9d1fbbff1623fab8f173f1b8ae602d75b61e531056e561a92d7110e

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_RUS.lng

Filesize
7KB

MD5
12c0c9b9ebe5c6f78b7456cf97156fe7

SHA1
4cc5b97297bb61a6281e34e80c1cfe034678b8c0

SHA256
1ba4e6ee1648fb710b3c7736c0107ae08eb081b89546e3c5ba0381868d344742

SHA512
c0144308e02a0ca8369459ef64c7403673ae45b834b1dbc3379efebc23e0072b95ac7e8e9e6f7433398b3da1ab1c905fed536eba8871f497becaf15eec532f14

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_SER.lng

Filesize
7KB

MD5
498ebfe019eb9394afbd53904476e76c

SHA1
0476e36ad0538701698a2d4a56facf1824c1a83d

SHA256
831c37817e54cb0d31037d3700ae29e025ea7dc860dd109c47389c8c24a2ac9e

SHA512
0c52699965bf0884119e6fdf1923d51c275ab5205bb7f6fca679bc0b17892a661d3808fe63e55a07b1d0908d52fe48ae065d85de8e668e8fc7bf24c56c6e04e1

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_SKY.lng

Filesize
7KB

MD5
17223e97a56d812321df841abf0093de

SHA1
067bf5ab6a46d388bd6a6aa44ec04c0b509fef79

SHA256
20aaf54ef9ae436b320c9df18710215a4783d7093ad7326f79b16c40f327001c

SHA512
1ba916a305632295c424c84be9e7083b5c0d9b0055c834897279138e3c3f6a74d4ea5baedd632500bb0e5e9fe74144c8a1ee53f050b8a5e32ec415140b5fe6b6

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_SVE.lng

Filesize
6KB

MD5
208dc54bee463571062261a5c18f23c9

SHA1
5ac5cc040b129fb0de209e809370328321818eea

SHA256
f072eba5abfd7d3ea10bf4e1ff92bb6e2a44e313b7e68475abfe6d3b77822dfb

SHA512
0a6e7d032a5a581dd89eca83d850660776e2cc88c1e440739b46e3ac06ace9b1f20da8bb8fc8517a8dd9eb2c05606dc1cbd6a6f2b37b5f972e1c5214cf785be6

Download Submit
C:\PROGRA~2\DVDREG~1\Language\DVDIdle_UKR.lng

Filesize
7KB

MD5
b210358714083b18ffb78c6765ceb8fb

SHA1
ac7eb8ff764385abf432058d2fb23502af96f6a9

SHA256
a4c84d2f12ff252922a78bed639c9f38a88d14d7a83346b4cfd74cf210917b8d

SHA512
19a16c177a92384df09030a7cee71f243063c294a6edc2dccfb0cbef21522c00fd041ebef063b7b4ccad03112ac96502264d6f1d3fced5df3e24bfe366634658

Download Submit
C:\Program Files (x86)\DVD Region+CSS Free\DVDShell.dll

Filesize
48KB

MD5
ccbc4135003d1437365a3d4fc69e59b1

SHA1
987526ec5ba3ebb89475b7c2287b4029a4025c75

SHA256
127dff6b66500ab5d999fe4a4cd8c40400e2352c7f51024ed2b77b2bbe613262

SHA512
2f56b6a2aa859d5b75192e390f0f84c307e79c052ff4846c9ea9b281d6784a55980f77cf5b43f59d111b0e0fe78019086fad046fc88ff5ccd46341deecdbf92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pskill.exe

Filesize
92KB

MD5
2e8a63a935822684bc3538a61749d9d2

SHA1
f76afcfba1f52fb8eb3e9c217d4a073117ee110a

SHA256
7ac2375c6569ad1f8e25ee7fc4a4ebcb0425bbd5ab19c2844f1580a8e0fcab76

SHA512
dcf63037bd7389900bddb1ec87168183d6ea6ff569ecb88e7fd52fe5a4d6c535931ea86b83d5e8300476e8b10677f3545b2e2eefe6df5ce877cfaade4e7444b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\register.reg

Filesize
588B

MD5
94bb574f92479c0552d5bb5e4ac423e5

SHA1
6b208e3f2d72ce70e81629d42ab432814bd5fd7d

SHA256
3a3aab3509aa30369dd86a1d851b0e75f49b1736933b4c092d1ceb237a09e192

SHA512
7d2a47d62974585b0807ce48c3e3162d0b802be763ecfd221515cf95e66e7a3580c539067dadd4db03870c46230b489ddcf4fa4a817c1f7baf1cff6ae7616ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.2MB

MD5
a86fd373a1744707a8b3b9f8ea0167fe

SHA1
4305393450329bba019c4be27475312c1441a3dc

SHA256
77a32b23ce4aabf1b3916d0f043143d0d5d4878c523830587ea1aa464982f4f5

SHA512
bd347d0688a50011f4a51c61d1740b2b0e2a38fdc02cd13c92eaaedc50cd0cb1919c28a897abffcf01c70501b0d722d8109e5fb1edaca0ffaf3b53872bef4069

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sleep.exe

Filesize
25KB

MD5
0a30d27c2228363aa403683db1c36906

SHA1
8cc0b5b13e4d8c86ddba38d368716edcdaa0b583

SHA256
15ddb357bd3411d3215b95d560b2161afbb02ffe85811c3f76138e6dc4531acd

SHA512
9bc733ad8b7a7f75822e9257e3765fe31b48b640e1edae0920f9434a33be158bb809d65b7092c9e47387956a1602dc8f0645d229d113d35693ee8151374749bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt7354.bat

Filesize
298B

MD5
f4b879c8d6004e589ad3f3d98ff8d301

SHA1
9d10faaa83e6751b4e9a6155e52c14d6d9fa2f1e

SHA256
510d482e88b09fad2846ae2d20d6441d0b6dfbf3c2a6c2819c3910a9b23f8dce

SHA512
34737c6bc42d9fdcf02cae84d988baf8cc82e4a966840e709849055f9848711d5f3ef3cdaf029e25af6d68029ae20c8f76716fc3069e035d38ff5e85daee2b82

Download Submit
C:\Users\Admin\Desktop\DVD Region+CSS Free.lnk

Filesize
1KB

MD5
cf5c85753778c51744cc70204b598efe

SHA1
33a3fd87f50a8a13028f096ccba35333969cd183

SHA256
c30d00eb4a76fb90b487eba74d58823c779b6711354149243606162859dedded

SHA512
1d7be652af94b8489ae714b5daa72044e0645e88a2e16ed39d399c44b978e364f753a8f6fa22aa16eb7f61adbf799aa098eddbb40e8f6a5b8fe63184cc537cd0

Download Submit
\Program Files (x86)\DVD Region+CSS Free\DVDRegionFree.exe

Filesize
252KB

MD5
f6bb2cae6106ff963836e0680ce4b8a1

SHA1
27a9cfa7153c70abafb16d948433118db21532ba

SHA256
5ecb6a753ee16e95f79ee1a42a1b7699ae45a91ac47634345e93dbaef10b418a

SHA512
a85bb66b2d673bf956fc65e0516a19c590b68f551f56a08521cb775d02591571da6ba9c640090255c936b0f09a5e0ad4e257847ce3b45b2d35cfd5a14a6df762

Download Submit
\Program Files (x86)\DVD Region+CSS Free\DVDSys.dll

Filesize
156KB

MD5
2662aa72f3378c333fc0688b4162310d

SHA1
44d3bce0f9e59fedeb2c3e40bf7e9daf444055a9

SHA256
f80b174004a60714422abb7c02f652a0f411b4bd041ee544f55c11e1ef48c27d

SHA512
bbd3c6d3687257e38aacb31ac01891f4fa2e2a15eeabfe2c849b34ca2ee4afd4dce634a84c2b9d22ea53d63c251a64ad78aa2aed20373507bcc7e0bc89d3f7ed

Download Submit
\Program Files (x86)\DVD Region+CSS Free\unins000.exe

Filesize
662KB

MD5
86040aa3ea21249900bb97245e96ac1a

SHA1
b0eb8a66159532f85695c3e205c39848c3f30d62

SHA256
4e5df8382d060bce6bfc95968729f725bedf29d25a7c050eca50f8bde6c119a5

SHA512
0e074e74d80e8bc3fe79141d3d8c74fb1344e4da0e88af1ede9020d7218b9f9fd31c66da07512fbdc4ae8c9cf242f86c338a38c8f0630ca6988393d58d329c0e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
146KB

MD5
52f2df9cc1264448f72e87898dcaa39b

SHA1
f7cac1cea89b7fcabd986d31183cfe86d1e7fc34

SHA256
570335085cccd133a0463b70610c2d68bdea4c2f07418a424539209e35c77ccc

SHA512
a3df8de09dd2fe4a239b0727a6de595b03bc56bc2c140deb1dfc0e48b88da6a7dbaa73ea72d101322b24a988aa9c554a5b878edc28f3f1c2ef5e4c2f8f04761b

Download Submit
\Users\Admin\AppData\Local\Temp\is-1I851.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-5PBU2.tmp\is-QKLR0.tmp

Filesize
652KB

MD5
581bb44526a65c02b388e1b8a83fe86c

SHA1
dc387f115977b5fb94d9c9084f33a1c231b50acb

SHA256
385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

SHA512
aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

Download Submit
memory/1936-158-0x0000000000240000-0x00000000002C0000-memory.dmp

Filesize
512KB

Download
memory/1936-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1936-189-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2432-208-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2788-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2788-194-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2936-154-0x0000000005A40000-0x0000000005AC0000-memory.dmp

Filesize
512KB

Download
memory/2936-141-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2936-152-0x0000000005A40000-0x0000000005AC0000-memory.dmp

Filesize
512KB

Download
memory/2936-193-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2936-123-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/3012-207-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download