d4f2a917898747b2925721cacbdd09d4ea29dce9fd6380d8e2f8c1904197080a

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
Size

348KB
MD5

2e734811b8fd40255183a8068c937011
SHA1

96701e3f2fa7712aead95d41251a0787116f2ea1
SHA256

d4f2a917898747b2925721cacbdd09d4ea29dce9fd6380d8e2f8c1904197080a
SHA512

0b3cbd4a8fd82bbfe9f8fb4ebdc3392772acbfc84f405ebd42d3275fb2e081aaacb42da0c117207a9143ebfef2f4023704061b19e3b17c3072235a6d3f03b3d2
SSDEEP

3072:eeqSbnq+h4RQw9SJH/qxSXNXy0jJz3wvg4mnedvYCq8rPLIzJND+LF6M0jk43p:eeqSu+hcKqxSFUvgdedvdq+MzDAUY43

Score

8^/10

adware bootkit discovery persistence stealer upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2736	rundll32.exe

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2400	regsvr32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
3040	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6E28339B-7A2A-47B6-AEB2-46BA53782379}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ajkl9.dll	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ajkl9.dll	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ajklz.dll	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ggsss7.dll	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2188-10-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2188-21-0x0000000000400000-0x0000000000459000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ = "IEyeOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ = "EyeOnIE Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\ajklz.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID\ = "BhoPlugin.EyeOnIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ = "IEyeOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ajklz.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ = "C:\\Windows\\SysWow64\\ggsss7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\ = "BhoPlugin 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ggsss7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
2736	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2400	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2400	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2400	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2400	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2400	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2400	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2400	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2736	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2736	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2736	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2736	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2736	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2736	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2736	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	31
PID 2188 wrote to memory of 3040	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	33
PID 2188 wrote to memory of 3040	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	33
PID 2188 wrote to memory of 3040	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	33
PID 2188 wrote to memory of 3040	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	33
PID 2188 wrote to memory of 3040	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	33
PID 2188 wrote to memory of 3040	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	33
PID 2188 wrote to memory of 3040	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	33
PID 2188 wrote to memory of 1688	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	34
PID 2188 wrote to memory of 1688	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	34
PID 2188 wrote to memory of 1688	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	34
PID 2188 wrote to memory of 1688	2188	2e734811b8fd40255183a8068c937011_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\2e734811b8fd40255183a8068c937011_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e734811b8fd40255183a8068c937011_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\ajklz.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 ajkl9.dll , InstallMyDll
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\ggsss7.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 375O540.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375O540.bat

Filesize
2KB

MD5
b918cbefcb81cba5bed5d95a678e20de

SHA1
50d86a21a48f634358560cf0c377b830b638c314

SHA256
1d4407d8e6c736dca851c7380b67d119e8d0479f792d18a2afb0c1ef9d42c9a6

SHA512
098bccf4d52e8d5e986b7f46e882a39995bd730fc0d0d0a9ebcc7639ee0c2572a3afd2698770089f5441b0f07776bc1c6bca3906d0e829e12073c8da840903ff

Download Submit
C:\Windows\SysWOW64\ajkl9.dll

Filesize
116KB

MD5
4b671fa7fad4bff457497d83ee5e1b03

SHA1
961388419b33fdefe34705eb841f16d4da304c6a

SHA256
09564b7c5d410f0d2c8ebbf016489e11591b0a3914d8fe3072cf78fc6d31b9c3

SHA512
65185d3d0a14446bb905f054a95d6a4c172e829652ae60709484835becca49dc7fc4f93b2dff56214bbcb8b7fc38d2afa19c85608aa2fc239fb3d71461a8c4ec

Download Submit
C:\Windows\SysWOW64\ajklz.dll

Filesize
40KB

MD5
1aed9bb654aeb1c97011e961f91d231f

SHA1
e83d0c8cb058708a41ed176448d61df9f13b213f

SHA256
7f905aa8222008c0052786ec54361ec04fbf79bbc2dfe8e18b615c3541b6cd65

SHA512
6191f3e8ba95b5ae6dc653562fb6c340e350956ba22f806fc0c6729482b4b17da6fdb46fcbe66bff31fa39c2628daf8b9760121c2455e017af616ca2e9474078

Download Submit
C:\Windows\SysWOW64\ggsss7.dll

Filesize
44KB

MD5
8905be9225b99b77466e077aecada2b0

SHA1
f3ca04bd03bb6d256da05d7b2aea462a180712e6

SHA256
e3db304da80ee588abfcf68886fdc7d3471f44b74d68b8bb0dac900972b369df

SHA512
6d15734a5a8f31e5219f9645d5b5806302c0f3f3e5705e64fd2bf1e885a5016aa4371a215845b508840442563b323018796bca85dd6ec2291dc416d98b07b367

Download Submit
memory/2188-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2188-10-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2188-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download