sality | c17db638a109c9d7676637cb11118b6262b2ffe810cd230cbb9ba696b83cf0d6

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Size

189KB
MD5

c538cbce71ce7a61c30ee9f3f3776e49
SHA1

f25910090d498e06002d89f8b3f3b4c1fae788d3
SHA256

c17db638a109c9d7676637cb11118b6262b2ffe810cd230cbb9ba696b83cf0d6
SHA512

8861127c549912319dc407fd052f757d6e95e76e80c65f96283f6ecbc9eeff13d6cb0aec7b29960441f740876a90acb2684287cbb4d420e70ea85d016f0c3c26
SSDEEP

3072:+J94lHFrIX3WCISceAoW+SX2DtulR7ijBA5NwIvPCEh3Gr93ZZ7xhY+h9HumW:AUDomoWfmkk9SNw0P3hYLpbBW

Score

10^/10

sality backdoor discovery evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	Au_.exe

Loads dropped DLL 11 IoCs

pid	Process
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3596-1-0x0000000002360000-0x0000000003390000-memory.dmp	upx
behavioral2/memory/3596-4-0x0000000002360000-0x0000000003390000-memory.dmp	upx
behavioral2/memory/3596-8-0x0000000002360000-0x0000000003390000-memory.dmp	upx
behavioral2/memory/3596-22-0x0000000002360000-0x0000000003390000-memory.dmp	upx
behavioral2/memory/2208-146-0x0000000006B50000-0x0000000007B80000-memory.dmp	upx
behavioral2/memory/2208-144-0x0000000006B50000-0x0000000007B80000-memory.dmp	upx
behavioral2/memory/2208-147-0x0000000006B50000-0x0000000007B80000-memory.dmp	upx
behavioral2/memory/2208-160-0x0000000006B50000-0x0000000007B80000-memory.dmp	upx
behavioral2/memory/2208-180-0x0000000006B50000-0x0000000007B80000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe
2208	Au_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe
Token: SeDebugPrivilege	2208	Au_.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 788	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	9
PID 3596 wrote to memory of 796	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	10
PID 3596 wrote to memory of 384	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	13
PID 3596 wrote to memory of 2780	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	47
PID 3596 wrote to memory of 2800	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	48
PID 3596 wrote to memory of 2208	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	82
PID 3596 wrote to memory of 2208	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	82
PID 3596 wrote to memory of 2208	3596	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe	82
PID 2208 wrote to memory of 788	2208	Au_.exe	9
PID 2208 wrote to memory of 796	2208	Au_.exe	10
PID 2208 wrote to memory of 384	2208	Au_.exe	13
PID 2208 wrote to memory of 2780	2208	Au_.exe	47
PID 2208 wrote to memory of 2800	2208	Au_.exe	48
PID 2208 wrote to memory of 2204	2208	Au_.exe	52
PID 2208 wrote to memory of 3468	2208	Au_.exe	56
PID 2208 wrote to memory of 3560	2208	Au_.exe	57
PID 2208 wrote to memory of 3768	2208	Au_.exe	58
PID 2208 wrote to memory of 3864	2208	Au_.exe	59
PID 2208 wrote to memory of 3924	2208	Au_.exe	60
PID 2208 wrote to memory of 4052	2208	Au_.exe	61
PID 2208 wrote to memory of 4144	2208	Au_.exe	62
PID 2208 wrote to memory of 2232	2208	Au_.exe	75
PID 2208 wrote to memory of 4448	2208	Au_.exe	76

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2800

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c538cbce71ce7a61c30ee9f3f3776e49_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4144

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2232

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E57BFA6_Rar\Au_.exe

Filesize
117KB

MD5
b94937be67e71037a37e8c6db6c31def

SHA1
a9ac455c40a522342f63b7693ff8a8bd17fefd11

SHA256
a773f83312c7f46c96bd328c1e75b2f0e4871e09bfac50adbab03e31fe683c5f

SHA512
5645a3c295be7e0be01241b926d9648853f71928bfe7f04ab565ca510718cbd47d232ace952f1de6dbd4cd67feef04131e7840b7a16ace5cf747f1e6f82925a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBFB8.tmp\InstallOptions.dll

Filesize
15KB

MD5
5e1b4d6318e6841bc05110ff2fffde08

SHA1
14fd68255e5992afa3affd35e9ad37a63207a8e7

SHA256
f527c375be190b78c063f95ec103cbac2e6c231ca28242f47d7b8771a4200fa5

SHA512
dc5f14b24590830a1588acb0360a6574cdd5a185772e93ab38116acb6e6744f42c85b134516cab470f736816c77691cb2c512ea9f79d0346d6eb789bc94eb538

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBFB8.tmp\System.dll

Filesize
9KB

MD5
29948eac267f1f3a618adccffac4a6da

SHA1
501a6ed0d063bea025e292d87ebc8a2ad6909639

SHA256
53da28f1a771ede7149d58b9fb8bc42184494202065f68dd2a19e7800f084999

SHA512
7cf19408eb0f2be7423c6e199c1bbd016cc1b469a4f4d53aeeb63afdf0d3b5f50310c034ad7b5da58b1e8a34a90ccbfe912ac08f13fcce3df98e085820f600c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBFB8.tmp\UserInfo.dll

Filesize
4KB

MD5
15bfdf6af53021cc43d20d4cb32c487c

SHA1
efd9ec82c81a886f0b04222961c26f6822051d95

SHA256
8a846161651a5363d5e19a97b8677bff832751c1eecebe888528e303136d4706

SHA512
212d7dd912e47800b59aeb3eec7cfd3616c09aae2c03b583c7c075f6a880e8570c2ce50419ae0f42aaa3500ef7135be49c29862f7190160136e68cc93cf762e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBFB8.tmp\ioSpecial.ini

Filesize
980B

MD5
df75eb60a3d95f46465d39f76840828f

SHA1
8eb94e709db642801b806b631e401ae93b94dc5a

SHA256
b0cd49a4039c09987a3d42d93ff2f2628493e017cb982e4678b247c0dc6bd6c3

SHA512
1d9b3a06edeb1993ef78d85f65381a9dad048a8c7c9f10648867836362eb5cb6e7af621d26eb164863a2656f843626462783dc2596c1e36e668b6dad3c1a2bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBFB8.tmp\nsProcess.dll

Filesize
84KB

MD5
fae3be7a9827eaa3ef9f43832805e110

SHA1
0888a3ed318f17bf39e3c9af5848c965551b31a5

SHA256
65aac0490feb6cb70ef76b39d3f08f61172dfce998fecf56a25c3f10d5c754a7

SHA512
39d0496614a390c2e97636bd1d252c3cba8c0c28a7245f631cc7b7195bfe224cb176c97adbb92824df8db5e5340d5255171eabcac0da548385fed0d81578c6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBFB8.tmp\uac.dll

Filesize
16KB

MD5
4e1c46e37af4b3ab0036cb1e85c81608

SHA1
8424a551d819cdae44d95a80af24a502d7e25ac1

SHA256
468d24e632789e5d2e740bf7b084d72e4e3784ebc19d77dfe4b3d866bec8d789

SHA512
9a2e140238bc6e4492cfcd022930b4facb3ca61d498febce949b36b526ef5ab434d94d0811bf958f572d1cf141b4411fa7950551244926a93d69b68d8fd33df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
189KB

MD5
c538cbce71ce7a61c30ee9f3f3776e49

SHA1
f25910090d498e06002d89f8b3f3b4c1fae788d3

SHA256
c17db638a109c9d7676637cb11118b6262b2ffe810cd230cbb9ba696b83cf0d6

SHA512
8861127c549912319dc407fd052f757d6e95e76e80c65f96283f6ecbc9eeff13d6cb0aec7b29960441f740876a90acb2684287cbb4d420e70ea85d016f0c3c26

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
5c8e39ee4ef315732623926a56d8b8b2

SHA1
2a8f8c5ad70f85c78503627729a5da51c1f82059

SHA256
d7212fc0eb6800261846f053bca77e69fc96c0615cbb6857c5463a3be2553778

SHA512
0adbdfe9d802b8d5e4214a2429bc31fb005c7c659dbdaf0526d272557c8b63abe8eec3622b0f5d6e109f1f08edf52428d5ea324099d29dd475ea4e4cd582c447

Download Submit
memory/2208-151-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/2208-147-0x0000000006B50000-0x0000000007B80000-memory.dmp

Filesize
16.2MB

Download
memory/2208-193-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2208-180-0x0000000006B50000-0x0000000007B80000-memory.dmp

Filesize
16.2MB

Download
memory/2208-160-0x0000000006B50000-0x0000000007B80000-memory.dmp

Filesize
16.2MB

Download
memory/2208-28-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2208-152-0x0000000006070000-0x0000000006072000-memory.dmp

Filesize
8KB

Download
memory/2208-146-0x0000000006B50000-0x0000000007B80000-memory.dmp

Filesize
16.2MB

Download
memory/2208-144-0x0000000006B50000-0x0000000007B80000-memory.dmp

Filesize
16.2MB

Download
memory/2208-157-0x0000000006070000-0x0000000006072000-memory.dmp

Filesize
8KB

Download
memory/2208-150-0x0000000006070000-0x0000000006072000-memory.dmp

Filesize
8KB

Download
memory/3596-4-0x0000000002360000-0x0000000003390000-memory.dmp

Filesize
16.2MB

Download
memory/3596-1-0x0000000002360000-0x0000000003390000-memory.dmp

Filesize
16.2MB

Download
memory/3596-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3596-8-0x0000000002360000-0x0000000003390000-memory.dmp

Filesize
16.2MB

Download
memory/3596-22-0x0000000002360000-0x0000000003390000-memory.dmp

Filesize
16.2MB

Download
memory/3596-29-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download