30a66df1a0555cff5637930b2672b78b58ab2a9fa5a1b3eef8a9259deef3ee33

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
Size

30KB
MD5

d1358cf60aa092658f87d8e0ea4252a6
SHA1

ebf42a1f2d8c35de25291b170938b42d613b4f92
SHA256

30a66df1a0555cff5637930b2672b78b58ab2a9fa5a1b3eef8a9259deef3ee33
SHA512

0029bf3c730b7876ae97afceeb501203d03f17faeb0d3b15b09587e98bb0e333313418625170a3d20983c277ee958fcb49ca433aa0afe94b054977648b530520
SSDEEP

768:AZwPyD2M1pG70XNv43k1JJSHrqMDR2KU7GhP:AIG18gqGwZR2P7GhP

Score

10^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchust.exe"	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2836	Nessery.exe

Executes dropped EXE 3 IoCs

pid	Process
2108	cinmon.exe
2836	Nessery.exe
2648	svchust.exe

Loads dropped DLL 12 IoCs

pid	Process
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
2836	Nessery.exe
2836	Nessery.exe
2836	Nessery.exe
2756	regsvr32.exe
2836	Nessery.exe
2836	Nessery.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000400000-0x0000000000420200-memory.dmp	upx
behavioral1/memory/1640-1-0x0000000000400000-0x0000000000420200-memory.dmp	upx
behavioral1/memory/1640-2-0x0000000000400000-0x0000000000420200-memory.dmp	upx
behavioral1/memory/1640-24-0x0000000000400000-0x0000000000420200-memory.dmp	upx
behavioral1/files/0x0009000000016d5e-35.dat	upx
behavioral1/memory/2836-36-0x0000000001EE0000-0x0000000001F01000-memory.dmp	upx
behavioral1/memory/2648-50-0x0000000000400000-0x0000000000420200-memory.dmp	upx
behavioral1/memory/2648-52-0x0000000000400000-0x0000000000420200-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\ = "WEB·´²¡¶¾±£»¤"	regsvr32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cinmon.exe	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Nessery.sys	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Nessery.exe	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Nessery.dll	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\syswine.ini	Nessery.exe
File opened for modification	C:\Windows\SysWOW64\syswine.ini	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ssdti.sys	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Nesery.dll	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macsoin.dll	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchust.exe	Nessery.exe
File opened for modification	C:\Windows\SysWOW64\svchust.exe	Nessery.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cinmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nessery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchust.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO.1\CLSID\ = "{8744DB13-A027-4F73-9F16-DBF9AE1563FD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO\ = "WEB·´²¡¶¾±£»¤"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\TypeLib\ = "{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\TypeLib\ = "{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\ = "IBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO\CurVer\ = "CkBHO.BHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\VersionIndependentProgID\ = "CkBHO.BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\TypeLib\ = "{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Nessery.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO\CLSID\ = "{8744DB13-A027-4F73-9F16-DBF9AE1563FD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CkBHO.BHO.1\ = "WEB·´²¡¶¾±£»¤"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\ = "WEB·´²¡¶¾±£»¤"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0\ = "CkBHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A913C07A-7039-466A-B0DC-4E24E11A6EDA}\ = "IBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\ProgID\ = "CkBHO.BHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8744DB13-A027-4F73-9F16-DBF9AE1563FD}\InprocServer32\ = "C:\\Windows\\SysWow64\\Nessery.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D38FD043-7D0F-48DD-8E99-3F7FBDE485B5}\1.0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe
2648	svchust.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2648	svchust.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
2108	cinmon.exe
2108	cinmon.exe
2836	Nessery.exe
2648	svchust.exe
2648	svchust.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2108	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2108	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2108	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2108	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2756	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2756	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2756	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2756	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2756	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2756	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2756	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	31
PID 1640 wrote to memory of 2836	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	32
PID 1640 wrote to memory of 2836	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	32
PID 1640 wrote to memory of 2836	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	32
PID 1640 wrote to memory of 2836	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	32
PID 1640 wrote to memory of 2836	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	32
PID 1640 wrote to memory of 2836	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	32
PID 1640 wrote to memory of 2836	1640	d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe	32
PID 2836 wrote to memory of 2648	2836	Nessery.exe	33
PID 2836 wrote to memory of 2648	2836	Nessery.exe	33
PID 2836 wrote to memory of 2648	2836	Nessery.exe	33
PID 2836 wrote to memory of 2648	2836	Nessery.exe	33
PID 2836 wrote to memory of 2648	2836	Nessery.exe	33
PID 2836 wrote to memory of 2648	2836	Nessery.exe	33
PID 2836 wrote to memory of 2648	2836	Nessery.exe	33

C:\Users\Admin\AppData\Local\Temp\d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1358cf60aa092658f87d8e0ea4252a6_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cinmon.exe
  "C:\Windows\system32\cinmon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /c C:\Windows\system32\Nessery.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2756
- C:\Windows\SysWOW64\Nessery.exe
  "C:\Windows\system32\Nessery.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\svchust.exe
    "C:\Windows\system32\svchust.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nessery.dll

Filesize
28KB

MD5
481f922a2ab720339ae0b982814bdf05

SHA1
da52ffaaf1c7567af160214f8e153250ed958977

SHA256
f9b3b097f31cb8099a5bcdb86acefb2ecd652e86283ea74847efcb8ac43d69af

SHA512
41a81d6720c19d5b6a036fc46a7fba6b625e2e8d84069ff728764c533ab16761eaad1ea4234bdd2046e1de2e161d3bfb0a633b121f1e1ab61a2762fba501d7c2

Download Submit
C:\Windows\SysWOW64\cinmon.exe

Filesize
20KB

MD5
df96e7f22130ae2538473846a5bd4a89

SHA1
e6ff857868f0958dcbc6e48ef78e8acdddf24e93

SHA256
58c84350e4a44fb5f4e7bb7058b61d4b48ad20b2e99ef8a9f23d7630dabd85b2

SHA512
16f4750e6b0f9dd02b7f8cd6dcf487a1a9e4be05aa6cfbe8ce99bfa82c461910a3138a4f98c0ff0592d1ea670f3a2e1e5a3c47f76a098cf5fbe0559e024f6a9a

Download Submit
C:\Windows\SysWOW64\ssdti.sys

Filesize
2KB

MD5
36d5eaec53f5756e2dab290bb415c94d

SHA1
8fb95fca372d703ef10ba8827b0bb8d3e002428b

SHA256
9a3dfe32cf24d8dc800f64647be21ff0ff5f4a3732fadd60af311a7e6089c514

SHA512
0296186028de7cdf0e8893b1fb7bfa70dec54ed57704a56965d294fc0b9bb51f92d4cb5c126085591d0ef7c255840a6d858b553f4a3c8e69dfe88630b4101757

Download Submit
C:\Windows\SysWOW64\syswine.ini

Filesize
105B

MD5
5338be2cefd2493488b0327a1ff2cce0

SHA1
e8d78f92513133ca97f1fb92af6fbe7bedd1b986

SHA256
8992c2c8f486e32c427735a4e0788cba32207eb33a4f471084d60bcbdbf331f9

SHA512
1c320ec74e098031d286c2275bcdc89a7c4825ebb55010bd1cecf1b71fe8eb7713ea97ecad81b5dcbcb82c39fc6f2bc1cfc0a991b8732ca0cae3b706e01f0d39

Download Submit
C:\Windows\SysWOW64\syswine.ini

Filesize
26B

MD5
d8ab3ea023fda33b8017ccc4748534f8

SHA1
e5c8b0f40ed03ad98f0d207ee073af2ee925db78

SHA256
14776c2d9c1446833752ec1c0686cc74bee4c3bd3036b3ad7cf51249ebe381ab

SHA512
0a6ab8641e77dcdc9b33e49462404aaf43ca549122d6fd5afc72448b5f50558859657d64d66d38415e752c05abaa225e545310986516eb1af0f691ff690ec5e0

Download Submit
\Windows\SysWOW64\Nessery.exe

Filesize
20KB

MD5
cc317d7c2a5fbe5376b0211d470d0dc8

SHA1
7eede35ab2e9ff2ab5c07e16f8d0981a91154521

SHA256
a9f8935f41938432093cf397d0daf49ef07086ec75914d7dfed271db22827b0d

SHA512
4c16ee4aa37c8b2c5b2277bc5578c96c28be1383e299abbce0fe1186486f74e814e04e64ded3230747ae80fba0c70f00ed6b20ab1b30508f7695944fc862ee3b

Download Submit
\Windows\SysWOW64\svchust.exe

Filesize
30KB

MD5
d1358cf60aa092658f87d8e0ea4252a6

SHA1
ebf42a1f2d8c35de25291b170938b42d613b4f92

SHA256
30a66df1a0555cff5637930b2672b78b58ab2a9fa5a1b3eef8a9259deef3ee33

SHA512
0029bf3c730b7876ae97afceeb501203d03f17faeb0d3b15b09587e98bb0e333313418625170a3d20983c277ee958fcb49ca433aa0afe94b054977648b530520

Download Submit
memory/1640-24-0x0000000000400000-0x0000000000420200-memory.dmp

Filesize
128KB

Download
memory/1640-0-0x0000000000400000-0x0000000000420200-memory.dmp

Filesize
128KB

Download
memory/1640-2-0x0000000000400000-0x0000000000420200-memory.dmp

Filesize
128KB

Download
memory/1640-1-0x0000000000400000-0x0000000000420200-memory.dmp

Filesize
128KB

Download
memory/2648-50-0x0000000000400000-0x0000000000420200-memory.dmp

Filesize
128KB

Download
memory/2648-49-0x0000000000230000-0x0000000000251000-memory.dmp

Filesize
132KB

Download
memory/2648-48-0x0000000000230000-0x0000000000251000-memory.dmp

Filesize
132KB

Download
memory/2648-52-0x0000000000400000-0x0000000000420200-memory.dmp

Filesize
128KB

Download
memory/2836-36-0x0000000001EE0000-0x0000000001F01000-memory.dmp

Filesize
132KB

Download