f84392a6ec9d2451c71475d7d257a0baa3df0613f7c2a8eb5721c5aea4df4c3b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe
Size

176KB
MD5

d6bdbd633799083892ae333a5d16f5b7
SHA1

89ac52b58a6b6cd1d5844833318c27d53a3212fc
SHA256

f84392a6ec9d2451c71475d7d257a0baa3df0613f7c2a8eb5721c5aea4df4c3b
SHA512

ed17906049a910a1e40df36164848a04e79cf51c5f1efeea139e5393d810d752572f54a9a3c1379c258f2fe7f911388622a20a0f46cf0fdd421f81ae594562f8
SSDEEP

3072:wP13b4ooAAA6c9RJoaZoV9456s6jNIzsn1dpTOYYiR6:wPdb4MhwaA1TrYi

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\aec.SYS	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\142vpc{,gzg\142vpc{,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\RavTask.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Oaqjkgnf,gzg\Oaqjkgnf,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Pct,gzg\Pct,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\kmailmon.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zamooqtp,gzg	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe\mcinsupd.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oawrfoep,gzg	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PqVpc{,gzg\PqVpc{,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\mcproxy.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oalcqta,gzg	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OaLCQta,gzg\oalcqta,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.KXP	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\livesrv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAglvgp,gzg\AAglvgp,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ORQTA,GZG\ORQTA,GZG = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ORQTA1,GZG\ORQTA1,GZG = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ORQTA1,GZG	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\mcshell.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IRDU10,GZG	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\egui.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\RavMonD.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SSFmavmp,gzg	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe\antiarp.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.EXE\KPFW32.EXE = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe\360Safebox.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\ScanFrm.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qcdg`mzVpc{,gzg\qcdg`mzVpc{,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Pct,gzg	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAglvgp,gzg	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaq{qoml,gzg\oaq{qoml,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\RsAgent.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\142Qcdg`mz,gzg	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aacrr,gzg	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe\rtvscan.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fgducvaj,gzg	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaqjgnn,gzg\oaqjgnn,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IctQvcpv,gzg\IctQvcpv,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aacrr,gzg\aacrr,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\QQDoctor.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSrv.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OaLCQta,gzg\OaLCQta,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Oaqjkgnf,gzg\oaqjkgnf,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe\ccEvtMgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zamooqtp,gzg\zamooqtp,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqqgpt,gzg\tqqgpt,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OaRpmz{,gzg\oarpmz{,gzg = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.EXE	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\vptray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\ekrn.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
788	~Frm.exe

Loads dropped DLL 7 IoCs

pid	Process
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe
848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe
444	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Windows\\system32\\updater.exe"	~Frm.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killdll.dll	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~Frm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	rundll32.exe
Token: SeDebugPrivilege	2240	rundll32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2240	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	28
PID 848 wrote to memory of 2240	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	28
PID 848 wrote to memory of 2240	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	28
PID 848 wrote to memory of 2240	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	28
PID 848 wrote to memory of 2240	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	28
PID 848 wrote to memory of 2240	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	28
PID 848 wrote to memory of 2240	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	28
PID 848 wrote to memory of 788	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	29
PID 848 wrote to memory of 788	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	29
PID 848 wrote to memory of 788	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	29
PID 848 wrote to memory of 788	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	29
PID 788 wrote to memory of 444	788	~Frm.exe	30
PID 788 wrote to memory of 444	788	~Frm.exe	30
PID 788 wrote to memory of 444	788	~Frm.exe	30
PID 788 wrote to memory of 444	788	~Frm.exe	30
PID 788 wrote to memory of 444	788	~Frm.exe	30
PID 848 wrote to memory of 2532	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	32
PID 848 wrote to memory of 2532	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	32
PID 848 wrote to memory of 2532	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	32
PID 848 wrote to memory of 2532	848	d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6bdbd633799083892ae333a5d16f5b7_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\\rundll32.exe C:\Windows\system32\\killdll.dll killall
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\~Frm.exe
  C:\Users\Admin\AppData\Local\Temp\~Frm.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_undelme.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_undelme.bat

Filesize
304B

MD5
03a21e592b87e37a27abf98fabef2430

SHA1
3c8397e8d70fecad96cba09c474f8227e85b3237

SHA256
a8bbaaee30121cdb223fa2338f3936a942099b0a177889378179c2c143a5fcb4

SHA512
f514c15ffd98fde6ce65c605fc95b3cdc331b9fe4b73a942f284b0e4643729ee388ae83e0241a1a39c2a9fa7c967d89c779d53aa95de389c57dcd3de31aecc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.tmp

Filesize
2KB

MD5
07e32319dc161756b87093d071b30149

SHA1
9772997199370c9dc699eec09a339615dc12b10f

SHA256
69f5763b79bf29bee934474420b06f4eca55fb5bc4d8111628accd0bc41b3e00

SHA512
05412536a89b40a6131c18d548cd94c64955152688802cde9c642be0f0780334f09e2656fa18832e553c42ed5e2f3738507e011b0b8531699dc54c04afcecc24

Download Submit
C:\Windows\SysWOW64\killdll.dll

Filesize
50KB

MD5
812941602c371ab38e2ed75b3a6c7f28

SHA1
f62c7572eff74982378197bd89969b5d4d7a5acf

SHA256
66686d41387c06cecd715c35d14e4f45f37b96bc5d454dd9c1dcc3c48ab97924

SHA512
ce12b0889c37eb826ad8dd46ba6ef8e479a544bb016013701fcf3b7e32ddadb2eb38ad5d452905570d7dfdad89663914da911c41f2e1138d580f3da4788afc65

Download Submit
\Users\Admin\AppData\Local\Temp\~Frm.exe

Filesize
13KB

MD5
fedff87050934efa96e9a397e4a66a20

SHA1
a180542a5fa36f174f908b42f889dd2d8002c3c7

SHA256
277f0224d428c66dde09e8dabcd1a967885ebe9086966baeffdf430b6f0f9938

SHA512
21c306b6178128585f95c2d350c7ef7e5570abee94f9b5350a9b41bb5421b58abc79c1430bdf1357100c987b27a249f84e18dcdd8ce67e6bcd692e692e97367e

Download Submit
memory/444-24-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/444-27-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/444-39-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/848-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download