59f2d3cea071418ab37470e9b00bf5d6c994043360e6de796e56a60771440ac2

Analysis

max time kernel
126s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe
Size

292KB
MD5

be74cbb86c007309d8004d910f5270f7
SHA1

b5cf97257a2d98a9402eec13c645e2386762f556
SHA256

59f2d3cea071418ab37470e9b00bf5d6c994043360e6de796e56a60771440ac2
SHA512

03f0e1543073c9d2277d3fe65006c284413942cfb812b231de3df3c387a18d07ec8b3819f9da2dbbda88cc2a98fa7f256be8fb6803e612325c000b315cd7188e
SSDEEP

6144:6DsVIqXUrsYBrYo8J5Ydf+fPQHyTX/0tisSKBBw9odZA6n4+hPy:f6qXksKrYHOGnQHyTv0tisSkGCA6n4+k

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mchInjDrv\ImagePath = "\\??\\C:\\Windows\\TEMP\\mc2F71B.tmp"	woaisaomm.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	woaisaomm.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	woaisaomm.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	118.184.184.8
Destination IP	118.184.184.8
Destination IP	118.184.184.8

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	woaisaomm.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\GMOPAZ.DAT	be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe
File created	C:\Windows\system\woaisaomm.exe	be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe
File opened for modification	C:\Windows\system\woaisaomm.exe	be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woaisaomm.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecision = "0"	woaisaomm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecision = "0"	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	woaisaomm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecisionReason = "1"	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecisionTime = 8058f25615f6da01	woaisaomm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDetectedUrl	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	woaisaomm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	woaisaomm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	woaisaomm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadNetworkName = "Network 3"	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\System	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	woaisaomm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecisionTime = e0a40f9c15f6da01	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}	woaisaomm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecisionTime = e0a40f9c15f6da01	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\1e-fd-53-ca-e5-b2	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	woaisaomm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecisionReason = "1"	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	woaisaomm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecisionTime = 8058f25615f6da01	woaisaomm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	woaisaomm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	woaisaomm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	woaisaomm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	woaisaomm.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe
2772	woaisaomm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2772	woaisaomm.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe
Token: SeDebugPrivilege	2772	woaisaomm.exe
Token: SeAssignPrimaryTokenPrivilege	2772	woaisaomm.exe
Token: SeIncreaseQuotaPrivilege	2772	woaisaomm.exe
Token: SeSecurityPrivilege	2772	woaisaomm.exe
Token: SeTakeOwnershipPrivilege	2772	woaisaomm.exe
Token: SeLoadDriverPrivilege	2772	woaisaomm.exe
Token: SeSystemtimePrivilege	2772	woaisaomm.exe
Token: SeShutdownPrivilege	2772	woaisaomm.exe
Token: SeSystemEnvironmentPrivilege	2772	woaisaomm.exe
Token: SeUndockPrivilege	2772	woaisaomm.exe
Token: SeManageVolumePrivilege	2772	woaisaomm.exe
Token: SeDebugPrivilege	2772	woaisaomm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2772	woaisaomm.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2796	2772	woaisaomm.exe	30
PID 2772 wrote to memory of 2796	2772	woaisaomm.exe	30
PID 2772 wrote to memory of 2796	2772	woaisaomm.exe	30
PID 2772 wrote to memory of 2796	2772	woaisaomm.exe	30
PID 2772 wrote to memory of 256	2772	woaisaomm.exe	1
PID 2772 wrote to memory of 256	2772	woaisaomm.exe	1
PID 2772 wrote to memory of 332	2772	woaisaomm.exe	2
PID 2772 wrote to memory of 332	2772	woaisaomm.exe	2
PID 2772 wrote to memory of 360	2772	woaisaomm.exe	3
PID 2772 wrote to memory of 360	2772	woaisaomm.exe	3
PID 2772 wrote to memory of 384	2772	woaisaomm.exe	4
PID 2772 wrote to memory of 384	2772	woaisaomm.exe	4
PID 2772 wrote to memory of 384	2772	woaisaomm.exe	4
PID 2772 wrote to memory of 420	2772	woaisaomm.exe	5
PID 2772 wrote to memory of 420	2772	woaisaomm.exe	5
PID 2772 wrote to memory of 420	2772	woaisaomm.exe	5
PID 2772 wrote to memory of 464	2772	woaisaomm.exe	6
PID 2772 wrote to memory of 464	2772	woaisaomm.exe	6
PID 2772 wrote to memory of 480	2772	woaisaomm.exe	7
PID 2772 wrote to memory of 480	2772	woaisaomm.exe	7
PID 2772 wrote to memory of 488	2772	woaisaomm.exe	8
PID 2772 wrote to memory of 488	2772	woaisaomm.exe	8
PID 2772 wrote to memory of 604	2772	woaisaomm.exe	9
PID 2772 wrote to memory of 604	2772	woaisaomm.exe	9
PID 2772 wrote to memory of 684	2772	woaisaomm.exe	10
PID 2772 wrote to memory of 684	2772	woaisaomm.exe	10
PID 2772 wrote to memory of 760	2772	woaisaomm.exe	11
PID 2772 wrote to memory of 760	2772	woaisaomm.exe	11
PID 2772 wrote to memory of 816	2772	woaisaomm.exe	12
PID 2772 wrote to memory of 816	2772	woaisaomm.exe	12
PID 2772 wrote to memory of 852	2772	woaisaomm.exe	13
PID 2772 wrote to memory of 852	2772	woaisaomm.exe	13
PID 2772 wrote to memory of 992	2772	woaisaomm.exe	14
PID 2772 wrote to memory of 992	2772	woaisaomm.exe	14
PID 2772 wrote to memory of 296	2772	woaisaomm.exe	15
PID 2772 wrote to memory of 296	2772	woaisaomm.exe	15
PID 2772 wrote to memory of 308	2772	woaisaomm.exe	16
PID 2772 wrote to memory of 308	2772	woaisaomm.exe	16
PID 2772 wrote to memory of 1040	2772	woaisaomm.exe	17
PID 2772 wrote to memory of 1040	2772	woaisaomm.exe	17
PID 2772 wrote to memory of 1116	2772	woaisaomm.exe	18
PID 2772 wrote to memory of 1116	2772	woaisaomm.exe	18
PID 2772 wrote to memory of 1116	2772	woaisaomm.exe	18
PID 2772 wrote to memory of 1172	2772	woaisaomm.exe	19
PID 2772 wrote to memory of 1172	2772	woaisaomm.exe	19
PID 2772 wrote to memory of 1172	2772	woaisaomm.exe	19
PID 2772 wrote to memory of 1220	2772	woaisaomm.exe	20
PID 2772 wrote to memory of 1220	2772	woaisaomm.exe	20
PID 2772 wrote to memory of 1220	2772	woaisaomm.exe	20
PID 2772 wrote to memory of 1612	2772	woaisaomm.exe	22
PID 2772 wrote to memory of 1612	2772	woaisaomm.exe	22
PID 2772 wrote to memory of 1612	2772	woaisaomm.exe	22
PID 2772 wrote to memory of 800	2772	woaisaomm.exe	23
PID 2772 wrote to memory of 800	2772	woaisaomm.exe	23
PID 2772 wrote to memory of 1072	2772	woaisaomm.exe	24
PID 2772 wrote to memory of 1072	2772	woaisaomm.exe	24
PID 2772 wrote to memory of 1972	2772	woaisaomm.exe	25
PID 2772 wrote to memory of 1972	2772	woaisaomm.exe	25
PID 2772 wrote to memory of 1948	2772	woaisaomm.exe	26
PID 2772 wrote to memory of 1948	2772	woaisaomm.exe	26

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:360
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1612
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1072
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:684
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:760
  - - C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x498
      4⤵
      PID:2748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:992
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:308
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:800
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1972
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1948
- - C:\Windows\system\woaisaomm.exe
    C:\Windows\system\woaisaomm.exe
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      PID:2796
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:480
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\be74cbb86c007309d8004d910f5270f7_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GMOPAZ.DAT

Filesize
57KB

MD5
6aedb5f38c472fdd9b6329349b4cf96e

SHA1
c27da31efdf89a0caa20e8fef42df14d82260f41

SHA256
80c1e5f80ec81aa92a8cbc50595c63cb62e65cff882b68ebc256b3efd0f6fa73

SHA512
e90bdcfdc9adc8bd8720b81dd6bf024310350177525bfdfab33180f7bb3c38df682ab52f69bbb25438de525efb990415d2ef4bb40ac56b2d6ba5502fb3eaa193

Download Submit
C:\Windows\system\woaisaomm.exe

Filesize
292KB

MD5
be74cbb86c007309d8004d910f5270f7

SHA1
b5cf97257a2d98a9402eec13c645e2386762f556

SHA256
59f2d3cea071418ab37470e9b00bf5d6c994043360e6de796e56a60771440ac2

SHA512
03f0e1543073c9d2277d3fe65006c284413942cfb812b231de3df3c387a18d07ec8b3819f9da2dbbda88cc2a98fa7f256be8fb6803e612325c000b315cd7188e

Download Submit
memory/256-19-0x000000005F000000-0x000000005F001000-memory.dmp

Filesize
4KB

Download
memory/2772-79-0x000000005F000000-0x000000005F001000-memory.dmp

Filesize
4KB

Download
memory/2772-84-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2772-8-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2772-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2772-9-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2772-83-0x0000000002120000-0x0000000002155000-memory.dmp

Filesize
212KB

Download
memory/2772-82-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2772-15-0x0000000002120000-0x0000000002155000-memory.dmp

Filesize
212KB

Download
memory/2772-16-0x0000000002120000-0x0000000002155000-memory.dmp

Filesize
212KB

Download
memory/2772-81-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2992-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2992-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2992-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2992-12-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2992-2-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download