52b92a536bc1ffea65c2bdb27f51825d74f41926289c7a8d3f65b7400dddd483

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe
Size

262KB
MD5

1ca75a402f294bb1335ff4eef986e32e
SHA1

9750128a6ee6b7f83436d99054113c056a6bfd10
SHA256

52b92a536bc1ffea65c2bdb27f51825d74f41926289c7a8d3f65b7400dddd483
SHA512

458d488b4c32c68b16a0b4d20167a07329025a72395cb8e6e10f9bde966f452bc58f11aae97e0a638519607b3705449dfed6c5f009918e1a860d139680d40c0a
SSDEEP

6144:+TpqGbdkGtc/pIG9puxV3XW27azxQBSfhmBrW9Yg3I/heafx3k:7GbdkGoIG2xVHW2m9QQJgWmg3SheafxU

Score

10^/10

evasion execution upx vmprotect

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

Processes:

0912-30.exerundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	0912-30.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	0912-30.exe
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exeope5323.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	ope5323.exe

Executes dropped EXE 5 IoCs

Processes:

ope5285.exeope5303.exeope5323.exeÐÂ¶þ´úÎÏÅ£.exe0912-30.exe

pid process

2680 ope5285.exe
4368 ope5303.exe
1116 ope5323.exe
3228 ÐÂ¶þ´úÎÏÅ£.exe
3656 0912-30.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe0912-30.exe

pid process

972 rundll32.exe
3656 0912-30.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ope5323.exe	upx
behavioral2/memory/1116-30-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1116-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ÐÂ¶þ´úÎÏÅ£.exe	vmprotect
behavioral2/memory/3228-48-0x0000000000400000-0x0000000000432000-memory.dmp	vmprotect
behavioral2/memory/3228-60-0x0000000000400000-0x0000000000432000-memory.dmp	vmprotect

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0912-30.exe

description	ioc	process
File created	C:\autorun.inf	0912-30.exe
File opened for modification	C:\autorun.inf	0912-30.exe
File created	F:\autorun.inf	0912-30.exe
File opened for modification	F:\autorun.inf	0912-30.exe

Drops file in System32 directory 1 IoCs

Processes:

0912-30.exe

description ioc process

File created C:\Windows\SysWOW64\func.dll 0912-30.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ÐÂ¶þ´úÎÏÅ£.exe

pid process

3228 ÐÂ¶þ´úÎÏÅ£.exe
Drops file in Windows directory 1 IoCs

Processes:

0912-30.exe

description ioc process

File created C:\Windows\phpi.dll 0912-30.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3184 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4480 3228 WerFault.exe ÐÂ¶þ´úÎÏÅ£.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3280 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1552 taskkill.exe
1972 taskkill.exe
4948 taskkill.exe

description	ioc	process
File created	C:\Windows\SysWOW64\func.dll	0912-30.exe

pid	process
3228	ÐÂ¶þ´úÎÏÅ£.exe

description	ioc	process
File created	C:\Windows\phpi.dll	0912-30.exe

pid	process
3184	sc.exe

pid	pid_target	process	target process
4480	3228	WerFault.exe	ÐÂ¶þ´úÎÏÅ£.exe

pid	process
3280	ipconfig.exe

pid	process
1552	taskkill.exe
1972	taskkill.exe
4948	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	972	rundll32.exe
Token: SeDebugPrivilege	972	rundll32.exe
Token: SeDebugPrivilege	972	rundll32.exe
Token: SeDebugPrivilege	972	rundll32.exe
Token: SeDebugPrivilege	972	rundll32.exe
Token: SeDebugPrivilege	972	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ope5285.exe

pid	process
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe
2680	ope5285.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ope5285.exeope5303.exeÐÂ¶þ´úÎÏÅ£.exe

pid process

2680 ope5285.exe
4368 ope5303.exe
4368 ope5303.exe
4368 ope5303.exe
3228 ÐÂ¶þ´úÎÏÅ£.exe
3228 ÐÂ¶þ´úÎÏÅ£.exe
3228 ÐÂ¶þ´úÎÏÅ£.exe
3228 ÐÂ¶þ´úÎÏÅ£.exe
4368 ope5303.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exeope5323.exe0912-30.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 372 wrote to memory of 2680	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5285.exe
PID 372 wrote to memory of 2680	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5285.exe
PID 372 wrote to memory of 2680	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5285.exe
PID 372 wrote to memory of 4368	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5303.exe
PID 372 wrote to memory of 4368	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5303.exe
PID 372 wrote to memory of 4368	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5303.exe
PID 372 wrote to memory of 1116	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5323.exe
PID 372 wrote to memory of 1116	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5323.exe
PID 372 wrote to memory of 1116	372	1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe	ope5323.exe
PID 1116 wrote to memory of 3228	1116	ope5323.exe	ÐÂ¶þ´úÎÏÅ£.exe
PID 1116 wrote to memory of 3228	1116	ope5323.exe	ÐÂ¶þ´úÎÏÅ£.exe
PID 1116 wrote to memory of 3228	1116	ope5323.exe	ÐÂ¶þ´úÎÏÅ£.exe
PID 1116 wrote to memory of 3656	1116	ope5323.exe	0912-30.exe
PID 1116 wrote to memory of 3656	1116	ope5323.exe	0912-30.exe
PID 1116 wrote to memory of 3656	1116	ope5323.exe	0912-30.exe
PID 3656 wrote to memory of 4024	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4024	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4024	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4008	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4008	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4008	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 2768	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 2768	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 2768	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4020	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4020	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4020	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4844	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4844	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 4844	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 5100	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 5100	3656	0912-30.exe	cmd.exe
PID 3656 wrote to memory of 5100	3656	0912-30.exe	cmd.exe
PID 4024 wrote to memory of 4796	4024	cmd.exe	cacls.exe
PID 4024 wrote to memory of 4796	4024	cmd.exe	cacls.exe
PID 4024 wrote to memory of 4796	4024	cmd.exe	cacls.exe
PID 4008 wrote to memory of 1676	4008	cmd.exe	cacls.exe
PID 4008 wrote to memory of 1676	4008	cmd.exe	cacls.exe
PID 4008 wrote to memory of 1676	4008	cmd.exe	cacls.exe
PID 4844 wrote to memory of 1552	4844	cmd.exe	taskkill.exe
PID 4844 wrote to memory of 1552	4844	cmd.exe	taskkill.exe
PID 4844 wrote to memory of 1552	4844	cmd.exe	taskkill.exe
PID 4020 wrote to memory of 1972	4020	cmd.exe	taskkill.exe
PID 4020 wrote to memory of 1972	4020	cmd.exe	taskkill.exe
PID 4020 wrote to memory of 1972	4020	cmd.exe	taskkill.exe
PID 5100 wrote to memory of 4948	5100	cmd.exe	taskkill.exe
PID 5100 wrote to memory of 4948	5100	cmd.exe	taskkill.exe
PID 5100 wrote to memory of 4948	5100	cmd.exe	taskkill.exe
PID 2768 wrote to memory of 3184	2768	cmd.exe	sc.exe
PID 2768 wrote to memory of 3184	2768	cmd.exe	sc.exe
PID 2768 wrote to memory of 3184	2768	cmd.exe	sc.exe
PID 3656 wrote to memory of 972	3656	0912-30.exe	rundll32.exe
PID 3656 wrote to memory of 972	3656	0912-30.exe	rundll32.exe
PID 3656 wrote to memory of 972	3656	0912-30.exe	rundll32.exe
PID 3656 wrote to memory of 3280	3656	0912-30.exe	ipconfig.exe
PID 3656 wrote to memory of 3280	3656	0912-30.exe	ipconfig.exe
PID 3656 wrote to memory of 3280	3656	0912-30.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ca75a402f294bb1335ff4eef986e32e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\ope5285.exe
"C:\Users\Admin\AppData\Local\Temp\ope5285.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Users\Admin\AppData\Local\Temp\ope5303.exe
"C:\Users\Admin\AppData\Local\Temp\ope5303.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Users\Admin\AppData\Local\Temp\ope5323.exe
"C:\Users\Admin\AppData\Local\Temp\ope5323.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\ÐÂ¶þ´úÎÏÅ£.exe
"C:\Users\Admin\AppData\Local\Temp\ÐÂ¶þ´úÎÏÅ£.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1524
4⤵
- Program crash
PID:4480

C:\Users\Admin\AppData\Local\Temp\0912-30.exe
"C:\Users\Admin\AppData\Local\Temp\0912-30.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows /e /p everyone:f
4⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows /e /p everyone:f
5⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
4⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
5⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c sc config ekrn start= disabled
4⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\sc.exe
sc config ekrn start= disabled
5⤵
- Launches sc.exe
PID:3184

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ekrn.exe /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ekrn.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im egui.exe /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\taskkill.exe
taskkill /im egui.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ScanFrm.exe /f
4⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ScanFrm.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe func.dll, droqp
4⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3228 -ip 3228
1⤵
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0912-30.exe
Filesize
90KB

MD5
9f039b4fdb361f6e714017dadbc33b31

SHA1
66188db5777bde28b7dd5c42a8d2b33525f6efee

SHA256
1c7573392dea90a478b55cd016a71b0860d6cf806c48aa3311515a485d2225ea

SHA512
89f2c5fbd97c2484a148732983a8da490c5e68cc39c7da858f7c6ba3fd36cae0d1091d076c040292db4a78fb0758d55905a7d4f85a7178712aedac6b1fc0d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope5285.exe
Filesize
48KB

MD5
061ebda084967cfc3f4b7b82cdb2f53a

SHA1
6c1b07266e48c897f2f527eee6fb69c1deb15c3d

SHA256
523ab56abe84299312c4a9ae3f8f51ac2c94945b645ab7ce4b71ca70e53ac54a

SHA512
367ce84333e96793bd05433beac486742ce8dec64b4f523b5d801f17c5e73e525887ec517c24d1473cc02d6dc7b9e8916fca583d607640d345c1ac7a942727f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope5303.exe
Filesize
13KB

MD5
abad1b482c43c63f61b6c8339d28fe0b

SHA1
422ad639cc3a7e66b07cfef8d70f2c9ada696b6a

SHA256
fce8ca5a4e9e2c4e4217e88c13409dd1dcc45fe21694bffc8a896c59dc569846

SHA512
a8f9bab671b59eaf65bf40247e782a2378c08f187d71819c1648f3f3ddfcab15376e88f583477aa04aa755d0ca2146dab4241e5224883d6e364584139b00b59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope5323.exe
Filesize
176KB

MD5
a3aac54092a09c478d154887f17811d9

SHA1
f557e12c1902ac1f4d4eb9ae97190b0900c1d757

SHA256
07a83cef4c0bf88e77e782a6b816266f1859260903ca1838cb49276cd66fbc57

SHA512
0ad74cd8bdf1e5d9f0bfd37a2f4b9830bffdf21dabdba9c4e04298d5098dd6046af8278b4320c4f17384de3bb7f84388589578177d35a99d1a633fa4ec2308a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÂ¶þ´úÎÏÅ£.exe
Filesize
124KB

MD5
d0c97fa3759353b1dac28b4e8b4149c4

SHA1
f58bb65145a51a2f8865cddc7b46f32f5978f4af

SHA256
19b127adc0794859711e12407ed9858a760808face340caea761750afaaf90e1

SHA512
5223dc7798a04c4673b46235e150bc4715728b50911935db28d52f6974f062882881ef1737364b6af48ef234749a4c81c6061c350ad0469cc7e291db881fccb5

Download Submit
C:\Windows\SysWOW64\func.dll
Filesize
37KB

MD5
6cd118587034689dfa6fe497415001a6

SHA1
9dbcc3ac6e25201084abebc0e75109b364164102

SHA256
9afa20447f2b2ebdd08d7372f4b31e20952fdbfa39088d8108769e32c86ee4e4

SHA512
65330eb67cf56566202b25d42e890770ded5460c5f8dd4788d3816d87b728c40b9d0bd341bf2e4fb3bacb5519d593ce34fc0140eae6d4cce35de1bea59b67fa4

Download Submit
C:\Windows\phpi.dll
Filesize
44KB

MD5
4adfbb290252797fc156fe443a17dba4

SHA1
5a95598777a4751596e95dd04f9318fd84da8026

SHA256
c602dfdd436d53f4776ad3723737c5f8430a314f24ac124e33421388b58a4739

SHA512
54570fd0f2385bb0cf96536d5dd0c7f62a82b82853c08d2b2a86859a4365c5de688ee8bc3501838ed87692e059f3b9972b0f810adc32d0806ff13db2caf56a2e

Download Submit
memory/372-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/372-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1116-30-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1116-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3228-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3228-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

pid	process
2680	ope5285.exe
4368	ope5303.exe
1116	ope5323.exe
3228	ÐÂ¶þ´úÎÏÅ£.exe
3656	0912-30.exe