5278cbdca1f8a72788a80586d7b6b6e42c64f51bb1d207b46a41bf39ff977152

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe
Size

324KB
MD5

4941418f713b3680d5eb4e0638cda246
SHA1

36a3087e6b3102fa71ab984f4ba0c7ca580514b4
SHA256

5278cbdca1f8a72788a80586d7b6b6e42c64f51bb1d207b46a41bf39ff977152
SHA512

60732b6840a32cd5933c9a89f15cd461c11d85bce0891092b464d352373ac2cfe622083c52299800385c9a3ddf3db59689a8c3ecfd08d78c4c66f9bc151be804
SSDEEP

6144:USbGziIAVS75KqmzlNhWza6cmdJ6XRB8T5MJ8b6NHBRC+:USwIS75KqmzL6cmdJ6X78TuJ8byC+

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000016c5a-24.dat	acprotect
behavioral1/files/0x0009000000016d02-44.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2256	1.exe
2708	Windows:Remote-Controller.com

Loads dropped DLL 7 IoCs

pid	Process
1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe
1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe
1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe
2256	1.exe
2600	regsvr32.exe
2256	1.exe
2708	Windows:Remote-Controller.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016c5a-24.dat	upx
behavioral1/memory/2256-26-0x0000000010000000-0x0000000010014000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Windows:Remote-Controller.com
Key deleted	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run	Windows:Remote-Controller.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\boredcoders = "C:\\Windows:Remote-Controller.com"	Windows:Remote-Controller.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\www.shark-project.info = "C:\\Windows:Remote-Controller.com"	Windows:Remote-Controller.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zlib.dll	1.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	1.exe
File opened for modification	C:\Windows\SysWOW64\jpg.dll	1.exe
File opened for modification	C:\Windows\SysWOW64\win.com	1.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	Windows:Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	Windows:Remote-Controller.com
File opened for modification	C:\Windows\SysWOW64\jpg.dll	Windows:Remote-Controller.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows:Remote-Controller.com	1.exe
File created	C:\Windows:Remote-Controller.com	1.exe
File opened for modification	C:\Windows:Remote-Controller.com	Windows:Remote-Controller.com

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2256	1.exe
2256	1.exe
2256	1.exe
2256	1.exe
2256	1.exe
2708	Windows:Remote-Controller.com
2708	Windows:Remote-Controller.com
2708	Windows:Remote-Controller.com
2708	Windows:Remote-Controller.com
2708	Windows:Remote-Controller.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe
2256	1.exe
2708	Windows:Remote-Controller.com

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2436	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2436	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2436	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2436	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2256	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	32
PID 1948 wrote to memory of 2256	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	32
PID 1948 wrote to memory of 2256	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	32
PID 1948 wrote to memory of 2256	1948	4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe	32
PID 2256 wrote to memory of 2600	2256	1.exe	34
PID 2256 wrote to memory of 2600	2256	1.exe	34
PID 2256 wrote to memory of 2600	2256	1.exe	34
PID 2256 wrote to memory of 2600	2256	1.exe	34
PID 2256 wrote to memory of 2600	2256	1.exe	34
PID 2256 wrote to memory of 2600	2256	1.exe	34
PID 2256 wrote to memory of 2600	2256	1.exe	34
PID 2256 wrote to memory of 2708	2256	1.exe	35
PID 2256 wrote to memory of 2708	2256	1.exe	35
PID 2256 wrote to memory of 2708	2256	1.exe	35
PID 2256 wrote to memory of 2708	2256	1.exe	35

C:\Users\Admin\AppData\Local\Temp\4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\4941418f713b3680d5eb4e0638cda246_JaffaCakes118.exe"
  2⤵
  PID:2436
- C:\Users\Admin\AppData\Roaming\1.exe
  C:\Users\Admin\AppData\Roaming\1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2600
- - C:\Windows:Remote-Controller.com
    C:\Windows:Remote-Controller.com
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\jpg.dll

Filesize
51KB

MD5
4eda362e326609a0a80e2736b67607ab

SHA1
64aa572d16f7cd6e6bd2296f2c96ad1604c713d1

SHA256
061e9f721af9a538dcfd96d13cb3deef1479b5785f566818c34c3faa585d650a

SHA512
f23f6a5c362808aef98516dcf12e3eeefd8498c812c27f96820d7d086694641cb4eefc7970b4750a0e4a5a0be1f90ac8981fc2f028e7085d50bd44bd4880c51d

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Users\Admin\AppData\Roaming\1.exe

Filesize
296KB

MD5
13ba73e49ddf24bea2a116dfe8890d1a

SHA1
7c20cdb2c7fb04ae1fb7ad438ba21ef1d06da0fc

SHA256
ba3d508320d8e64a6dd0418057546a64ad485e0a315b485b64b63430986986df

SHA512
9304374dd15bba4df7a838e446042a4e52716887ba4a06dbb87c40d4a8d03565f1b161976bff87ad62700dfacff2675c3cba649bbdd23bcd5c8f581156e2af62

Download Submit
\Users\Admin\AppData\Roaming\kernel33.dll

Filesize
1.1MB

MD5
e14ba6a9464bed1127c50214acaf0c1a

SHA1
3eeda63ac8209ffa2e1beeefdde6531e61f8dc4d

SHA256
fd250c2054019c58dd71ac4469ee821b67dfa36a439091ad17969f6d4090da38

SHA512
55a7ad5ea8617e8066b2854556e54e1688c70d80b6921eab3020a1bb6cc741320f5f0d63cf067864505877e010d69caa2a7bff890dd037da7efbc3e679ab9c26

Download Submit
\Windows\SysWOW64\zlib.dll

Filesize
27KB

MD5
200d52d81e9b4b05fa58ce5fbe511dba

SHA1
c0d809ee93816d87388ed4e7fd6fca93d70294d2

SHA256
d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

SHA512
7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

Download Submit
memory/1948-0-0x0000000000400000-0x00000000004518E8-memory.dmp

Filesize
326KB

Download
memory/1948-22-0x0000000000400000-0x00000000004518E8-memory.dmp

Filesize
326KB

Download
memory/2256-26-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download