sality | 4276f13c88620c8740c92d30e0bc65d44b457ab31dd9792d7dde5748daa79642

Analysis

max time kernel
21s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Size

280KB
MD5

1c841a96dbea9d9a2ecb7b56c0c99b05
SHA1

8a0407024682c0f8cbe1a0d267759a28778508d1
SHA256

4276f13c88620c8740c92d30e0bc65d44b457ab31dd9792d7dde5748daa79642
SHA512

e098b3600f920bcd949111c94f856fbbeb58a87b34ddee0eb8d0c4fa2139b9017db011606dbb1806a4411ff3ff674b44131069916ae77d0b51c9371c0867db0b
SSDEEP

3072:aVHgKc4xGvbwcU9KQ2BBAHmaPxBVoSb5EsbTNTqABY92vn9T4jvzmSHTW9w:rKc4xGxWKQ2BonxTTNqiTyCXu

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jusched.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4796	jusched.exe

Executes dropped EXE 1 IoCs

pid	Process
4796	jusched.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2488-11-0x00000000021D0000-0x0000000003200000-memory.dmp	upx
behavioral2/memory/2488-5-0x00000000021D0000-0x0000000003200000-memory.dmp	upx
behavioral2/memory/2488-1-0x00000000021D0000-0x0000000003200000-memory.dmp	upx
behavioral2/memory/2488-16-0x00000000021D0000-0x0000000003200000-memory.dmp	upx
behavioral2/memory/2488-18-0x00000000021D0000-0x0000000003200000-memory.dmp	upx
behavioral2/memory/4796-54-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/4796-50-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/4796-57-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/4796-64-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/4796-66-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/4796-77-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/4796-79-0x00000000023F0000-0x0000000003420000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\49551ed2\jusched.exe	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
File created	C:\Program Files (x86)\49551ed2\49551ed2	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
File created	C:\Windows\Tasks\Update23.job	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
4796	jusched.exe
4796	jusched.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Token: SeDebugPrivilege	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 776	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	8
PID 2488 wrote to memory of 780	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	9
PID 2488 wrote to memory of 1020	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	13
PID 2488 wrote to memory of 2536	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	42
PID 2488 wrote to memory of 2548	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	43
PID 2488 wrote to memory of 2692	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	46
PID 2488 wrote to memory of 3440	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	55
PID 2488 wrote to memory of 3676	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	57
PID 2488 wrote to memory of 3864	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	58
PID 2488 wrote to memory of 3960	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	59
PID 2488 wrote to memory of 4020	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	60
PID 2488 wrote to memory of 1100	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	61
PID 2488 wrote to memory of 3640	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	62
PID 2488 wrote to memory of 4408	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	64
PID 2488 wrote to memory of 1032	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	75
PID 2488 wrote to memory of 4796	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	81
PID 2488 wrote to memory of 4796	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	81
PID 2488 wrote to memory of 4796	2488	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe	81
PID 4796 wrote to memory of 776	4796	jusched.exe	8
PID 4796 wrote to memory of 780	4796	jusched.exe	9
PID 4796 wrote to memory of 1020	4796	jusched.exe	13
PID 4796 wrote to memory of 2536	4796	jusched.exe	42
PID 4796 wrote to memory of 2548	4796	jusched.exe	43
PID 4796 wrote to memory of 2692	4796	jusched.exe	46
PID 4796 wrote to memory of 3440	4796	jusched.exe	55
PID 4796 wrote to memory of 3676	4796	jusched.exe	57
PID 4796 wrote to memory of 3864	4796	jusched.exe	58
PID 4796 wrote to memory of 3960	4796	jusched.exe	59
PID 4796 wrote to memory of 4020	4796	jusched.exe	60
PID 4796 wrote to memory of 1100	4796	jusched.exe	61
PID 4796 wrote to memory of 3640	4796	jusched.exe	62
PID 4796 wrote to memory of 4408	4796	jusched.exe	64
PID 4796 wrote to memory of 1032	4796	jusched.exe	75

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jusched.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2548

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2692

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1c841a96dbea9d9a2ecb7b56c0c99b05_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2488
- - C:\Program Files (x86)\49551ed2\jusched.exe
    "C:\Program Files (x86)\49551ed2\jusched.exe"
    3⤵
    - UAC bypass
    - Deletes itself
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4796
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:2204
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4408

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\49551ed2\49551ed2

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
C:\Program Files (x86)\49551ed2\jusched.exe

Filesize
280KB

MD5
4a112f1bcd203a7a32f29219d44149b5

SHA1
512d39b8081a606e0e9e2490086b15eb5cc2529e

SHA256
29c0228af5401e452e2fc711a6ba981d05c560a807e4f21f9d4007043ea5d44d

SHA512
5af27df4b7021afa6a91cbeb420ca08be2b9e34e06ff5890da6f4b953cddc3678f455300b768e6e1557b95b47f37f45492f13e1a3c491f4f50a82a5568d11dcd

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
82d67168e2bd8e4c486953fcc429a6fc

SHA1
746eab8314506c2926feb04d32ed4be7cec1e581

SHA256
151f188a943a132f28ea288de0d822c7009f3db843e48d3ed4bcbf7e4646e002

SHA512
da0b193d865d77cb115682ec57b5b4de9bafa1daf52139a0662cb40d07eb379367e528b1f17871b65720ca41361d5287193149bc791633d7eba0fb3cdafaa027

Download Submit
memory/2044-112-0x00000000005C0000-0x00000000005D7000-memory.dmp

Filesize
92KB

Download
memory/2488-1-0x00000000021D0000-0x0000000003200000-memory.dmp

Filesize
16.2MB

Download
memory/2488-9-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2488-8-0x00000000033C0000-0x00000000033C2000-memory.dmp

Filesize
8KB

Download
memory/2488-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2488-16-0x00000000021D0000-0x0000000003200000-memory.dmp

Filesize
16.2MB

Download
memory/2488-18-0x00000000021D0000-0x0000000003200000-memory.dmp

Filesize
16.2MB

Download
memory/2488-13-0x00000000033C0000-0x00000000033C2000-memory.dmp

Filesize
8KB

Download
memory/2488-11-0x00000000021D0000-0x0000000003200000-memory.dmp

Filesize
16.2MB

Download
memory/2488-39-0x00000000033C0000-0x00000000033C2000-memory.dmp

Filesize
8KB

Download
memory/2488-49-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2488-12-0x00000000033C0000-0x00000000033C2000-memory.dmp

Filesize
8KB

Download
memory/2488-5-0x00000000021D0000-0x0000000003200000-memory.dmp

Filesize
16.2MB

Download
memory/3012-106-0x0000000000530000-0x0000000000547000-memory.dmp

Filesize
92KB

Download
memory/4796-57-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/4796-61-0x0000000000610000-0x0000000000612000-memory.dmp

Filesize
8KB

Download
memory/4796-59-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4796-60-0x0000000000610000-0x0000000000612000-memory.dmp

Filesize
8KB

Download
memory/4796-64-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/4796-66-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/4796-77-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/4796-79-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/4796-107-0x0000000000610000-0x0000000000612000-memory.dmp

Filesize
8KB

Download
memory/4796-50-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/4796-54-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/4796-48-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download