kinsing | 300fe6224578b1254a43444f7e1783dd608a6c065d4e6089e7560e719fc787b2

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

duisc.exe
Size

262KB
MD5

28199122b75f244cd44d2dfc0107dc03
SHA1

5a8b0ad0cdd4864d421916f5034a6913035750c1
SHA256

a345cbd37c52c9926d789826a82f1d1a17986d1833e21ffc97afed70e1a0a4e1
SHA512

331755f64a8d41332e59787b628f26c526340bc73eb7acbecf1fe6ac461710d6b97fa524556ac53a23118f2e0f4649659701ca018d47e9749c3901c2f71aebe5
SSDEEP

3072:XHYR8jkJ5y+wLjOKWeKI9hyqfDydmfPmbAT2V1p9p7/Wg8gV6tZy4co28kd+06bb:oEXueBjyAGkqV1pPWVw4BEe5uqmGv

Score

10^/10

kinsing adware discovery loader persistence stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Blocklisted process makes network request 3 IoCs

Processes:

RunDll32.exeRunDll32.exe

flow pid process

6 1208 RunDll32.exe
7 4796 RunDll32.exe
8 4796 RunDll32.exe
Executes dropped EXE 1 IoCs

Processes:

CFSQdll.exe

pid process

3304 CFSQdll.exe

flow	pid	process
6	1208	RunDll32.exe
7	4796	RunDll32.exe
8	4796	RunDll32.exe

pid	process
3304	CFSQdll.exe

Loads dropped DLL 11 IoCs

Processes:

RunDll32.exeRunDll32.exeRundll32.exe

pid	process
1208	RunDll32.exe
4796	RunDll32.exe
2728	Rundll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
4796	RunDll32.exe
4796	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

duisc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscfs = "RUNDLL32 C:\\Windows\\system32\\msibm\\cfsys.dll,cfs"	duisc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

RunDll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "BHelper"	RunDll32.exe

Drops file in System32 directory 25 IoCs

Processes:

duisc.exeRundll32.exeRunDll32.exeRunDll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msibm\post.tpl	duisc.exe
File created	C:\Windows\SysWOW64\msibm\intro.tpl	duisc.exe
File created	C:\Windows\SysWOW64\msibm\cfs7zd.DLL	duisc.exe
File opened for modification	C:\Windows\SysWOW64\ibmuuid_.dll	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\msibm\CFSQdll.exe	duisc.exe
File opened for modification	C:\Windows\SysWOW64\ibmuuid_.dll	RunDll32.exe
File created	C:\Windows\SysWOW64\msuuid_.dll	RunDll32.exe
File created	C:\Windows\SysWOW64\ibmuuid_.dll	Rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\msibm\cfsupd.dll	duisc.exe
File created	C:\Windows\SysWOW64\msibm\intro.htm	Rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msibm\CFSQdll.exe	duisc.exe
File created	C:\Windows\SysWOW64\msibm\cfsys.dll	duisc.exe
File created	C:\Windows\SysWOW64\msibm\post.htm	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\Uninstall.exe	duisc.exe
File created	C:\Windows\SysWOW64\msibm\lowlvl.dll	duisc.exe
File created	C:\Windows\SysWOW64\msvendr_.dll	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\msibm\post.tpl	duisc.exe
File opened for modification	C:\Windows\SysWOW64\msibm\intro.tpl	duisc.exe
File created	C:\Windows\SysWOW64\msibm\linbak.dll	duisc.exe
File created	C:\Windows\SysWOW64\msibm\cfsbho.dll	duisc.exe
File opened for modification	C:\Windows\SysWOW64\ibmvdr_.dll	duisc.exe
File created	C:\Windows\SysWOW64\ibmvdr_.dll	duisc.exe
File opened for modification	C:\Windows\SysWOW64\msuuid_.dll	RunDll32.exe

Modifies registry class 51 IoCs

Processes:

RunDll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\CLSID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32\ThreadingModel = "apartment"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\msibm\\"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer\ = "cfsbho.BHelper.1"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\InprocServer32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\AppID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "CBHelper Object"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\VersionIndependentProgID	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\HELPDIR	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ProgID\ = "cfsbho.BHelper.1"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\TypeLib	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL\AppID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\VersionIndependentProgID\ = "cfsbho.BHelper"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS\ = "0"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\msibm\\cfsbho.dll"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CLSID	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CLSID\ = "{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\ = "cfsbho 1.0 ÀàÐÍ¿â"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\Version = "1.0"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0\win32	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\ = "cfsbho"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\ = "{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\0	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\TypeLib\Version = "1.0"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper.1\ = "CBHelper Object"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\ = "CBHelper Object"	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\Programmable	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ProxyStubClsid32	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ProgID	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0	RunDll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RunDll32.exe

pid	process
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe
1208	RunDll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RunDll32.exe

description pid process

Token: SeDebugPrivilege 1208 RunDll32.exe

description	pid	process
Token: SeDebugPrivilege	1208	RunDll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

duisc.exeRunDll32.exe

description	pid	process	target process
PID 4728 wrote to memory of 3304	4728	duisc.exe	CFSQdll.exe
PID 4728 wrote to memory of 3304	4728	duisc.exe	CFSQdll.exe
PID 4728 wrote to memory of 3304	4728	duisc.exe	CFSQdll.exe
PID 4728 wrote to memory of 2728	4728	duisc.exe	Rundll32.exe
PID 4728 wrote to memory of 2728	4728	duisc.exe	Rundll32.exe
PID 4728 wrote to memory of 2728	4728	duisc.exe	Rundll32.exe
PID 4728 wrote to memory of 4796	4728	duisc.exe	RunDll32.exe
PID 4728 wrote to memory of 4796	4728	duisc.exe	RunDll32.exe
PID 4728 wrote to memory of 4796	4728	duisc.exe	RunDll32.exe
PID 4728 wrote to memory of 1208	4728	duisc.exe	RunDll32.exe
PID 4728 wrote to memory of 1208	4728	duisc.exe	RunDll32.exe
PID 4728 wrote to memory of 1208	4728	duisc.exe	RunDll32.exe
PID 1208 wrote to memory of 3456	1208	RunDll32.exe	Explorer.EXE
PID 1208 wrote to memory of 4796	1208	RunDll32.exe	RunDll32.exe
PID 1208 wrote to memory of 780	1208	RunDll32.exe	svchost.exe
PID 1208 wrote to memory of 3456	1208	RunDll32.exe	Explorer.EXE

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\duisc.exe
"C:\Users\Admin\AppData\Local\Temp\duisc.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\msibm\CFSQdll.exe
C:\Windows\system32\msibm\CFSQdll.exe 20
3⤵
- Executes dropped EXE
PID:3304

C:\Windows\SysWOW64\Rundll32.exe
Rundll32.exe C:\Windows\system32\msibm\cfsbho.dll,firstGenGuid
3⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2728

C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe C:\Windows\system32\msibm\cfsbho.dll,regUser
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
PID:4796

C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe C:\Windows\system32\msibm\cfsys.DLL,cfs
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ibmuuid_.dll
Filesize
36B

MD5
439b576b10b1f3c3d234efa11f25320e

SHA1
cf32b1b645e477e3b668c5dbb40335ccd210d98e

SHA256
a9db00075e8cd3bb95e01e3cfaefee16735fc5634d9135f8ec85ff5297083292

SHA512
0668d5f8318bb5bcf388898680a7dba74b2f4c3abc1740dbf07c756cb5248b9db7568d6d1b2f2a671e33c85b4c5429fe4e9e562f4074b1f6e62b20ccf972e12d

Download Submit
C:\Windows\SysWOW64\ibmvdr_.dll
Filesize
6B

MD5
67235f0ee23bb5d9bfe272daec727c3a

SHA1
2020834bddfd82c85922ba6293277dd4047ec127

SHA256
4c31b850b9373f1a31705b3327cc8b0ac529a6a7aa5c86979c51b422d6a1afcc

SHA512
18e0adde1f8d4f9f5c51e74cbbb7c71c6843870f3e99f2e6ce81f92d3c1bd83a35116ba1f99b6582aae0c4dde83f616b5490cc12871e5cd3e54222e0ec219017

Download Submit
C:\Windows\SysWOW64\msibm\CFSQdll.exe
Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
C:\Windows\SysWOW64\msibm\cfs7zd.DLL
Filesize
14KB

MD5
379f4f2560c2d11838676ffcabeee8dd

SHA1
b88999a424f7306eb2000955f5d8f1424160d1b2

SHA256
65aaaad675bda642ae296a89a6a4da29693ed094c5db200470f32637164820c3

SHA512
4861bb5ad9d1eacc6d92ec8554b81c25c5be3544d93c1200b7784cf2aaa2ea32247d13cfebdecfbc8bd637959643e5808922cf2b57685057f36cdaf3a196f22d

Download Submit
C:\Windows\SysWOW64\msibm\cfsbho.dll
Filesize
130KB

MD5
f967f2d1ae78ae5b5008dc6de13682b7

SHA1
16ce4cba1d7fc76365952b14292671e47b1d1e4e

SHA256
ce884173c8d8a900ab2b1cb1926b0ea87a74263be6065a4cb38a374682e0b260

SHA512
73e5257cc94efee13805ea2565ce7b5999dca52ace55562bdae656d73a1b5b839fc80f4939369540a65c50bd09d0a3061085ec12fea1f7da7c1a77ca279d5e3e

Download Submit
C:\Windows\SysWOW64\msibm\cfsupd.dll
Filesize
72KB

MD5
87355014fd31dd1047b4086640f9c14a

SHA1
bde3383df2421d40c1f7ccbb909156dccc847d14

SHA256
5f8d5ad410b926f70edb694028802548d6d1d6c656a5daa1f0cda6613d14e2a3

SHA512
603ef15ea81be5cb39c7b3eeec2202e0100e9d111696cc3de640d18a7b69691d6069c6ab27d72f565a210cdbad11a2332d0c6b211c8d24560efd5674059c09b5

Download Submit
C:\Windows\SysWOW64\msibm\cfsys.dll
Filesize
187KB

MD5
6d7a20743ac066b025c09a4499448264

SHA1
5c15f4ae14c6c80c98ab97d2b98284598b9c3a21

SHA256
6331da561903d8d7fe6eca059899f85956a69786f43d01dfd96c19c85b181473

SHA512
1e8f0dc039838ee809403336a031f1b2940e90c531e170b3d42a189491766df182b2d40d7f238cfd2ce5d6c1949a403c590d258c5cb2fd8004e0c2aebac1949d

Download Submit
C:\Windows\SysWOW64\msibm\intro.tpl
Filesize
161B

MD5
e0782089e9f016369e89a4ec36474355

SHA1
a364f107081a899aea66ed73403dfc19041ea3f5

SHA256
c09efa49ecdb14dbd0dae118f3ba4ac30ecb4fe2db9e5bfe2874403733e99d46

SHA512
fff1a002e575ecf1f43573e2278f246ee72d007ac008f81717ecd0a9a003e969d2e91a28019e29912ed4741f1f3d9bed43adc14bfa48d80bd471df47825b9cfe

Download Submit
C:\Windows\SysWOW64\msibm\lowlvl.dll
Filesize
44KB

MD5
5ad7b028f0431453d05d5bedcdee3574

SHA1
c9f14c3530391461b74a4da359e1d0b7fdffad12

SHA256
d6a2fdaebae37652ae308a0103285eefc266081cda2114873cdba0d159f0159f

SHA512
22fd3a8e1fc8dedc8062905d4a81d3806c62eb10ce15468f6ec835dd8d6b6295dd17300a38fc02b6d1f7feef46045aea6d1bbbf334507bb34779ea7dd0aeaf9c

Download Submit
C:\Windows\SysWOW64\msibm\post.tpl
Filesize
160B

MD5
7ba5508ca1abca116183c1dcdbcf31d2

SHA1
c006df723e7ce851387345efe880c2fb7796d330

SHA256
0057b6b6acd17a102867a24e4927cdc487db31930c8769ad5271497757546e3e

SHA512
31dae4340d02815a0529cabe88fcad6a1e127776076d6172a1d7a76ed54cd0ecb86fec9aede5db9bf37278b47de857bc4c738d2fa30bfb635181492f8a8bd21b

Download Submit
C:\Windows\SysWOW64\msuuid_.dll
Filesize
36B

MD5
4598dce7e912594e979a182c22add795

SHA1
8d47611a92f24ebce64c89dcf87fcb24e5853ad1

SHA256
c3620c80e1ac2b335c512f650fe2a7b88f319f2d482d19cf5078eae83eb56a66

SHA512
f3e49d7249a0e92b564b2d786baae3501f36b794c2e0729a40b2f224247467499b8f39e34ae63cdcd59cee8d701b500a78ba386a0bc4c62f05c2ea80b82c9b52

Download Submit
C:\Windows\SysWOW64\msvendr_.dll
Filesize
3B

MD5
88d01685b67f611b42c5f0d4812a362b

SHA1
83384a4e3c734850de97cd8e3630b983f5fe2a37

SHA256
2691b1e337eb42cde24d4c61b8fd95fe7d5906e7720d4ad6807dd34377a9275c

SHA512
a0b6e6d60281a435e3463dcd7af04a8777ec7d883805c08c0529967affb26faca1d91c675866c24a096f2dd7852115b5caf8e50522e43d789ce3d088af4ca0ca

Download Submit
memory/1208-44-0x0000000004120000-0x0000000004136000-memory.dmp

Filesize
88KB

Download
memory/4796-37-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download