sality | dcc5635f01c83c51b7882a03354cba49028d28d27b18f3d75baa29ce09bb050a

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Size

177KB
MD5

da2bb5747bdd2bacb8fa7eee350f74e7
SHA1

b12c7be6bfb1afa62466c9c9dba89810858f1cbd
SHA256

dcc5635f01c83c51b7882a03354cba49028d28d27b18f3d75baa29ce09bb050a
SHA512

1b2e5736a52ba254c00823acf1456e1273ddd5702f0a0ee564df8335f2664d5d4c1e0ba22bbbef400c31a15937221db80025517e5a2f7af8bb4c74079245cf45
SSDEEP

3072:yQI+RTXJM0oYA3+5E8yFBv68ijflhR0pkV9GAO6uPyiWtvM3I:yqKk+b8MxaLlIpG9GRPrWtviI

Score

10^/10

sality backdoor discovery evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Deletes itself 1 IoCs

pid	Process
2848	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	Au_.exe
2848	Au_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4468-1-0x0000000002380000-0x00000000033B0000-memory.dmp	upx
behavioral2/memory/4468-3-0x0000000002380000-0x00000000033B0000-memory.dmp	upx
behavioral2/memory/4468-8-0x0000000002380000-0x00000000033B0000-memory.dmp	upx
behavioral2/memory/2848-45-0x0000000006790000-0x00000000077C0000-memory.dmp	upx
behavioral2/memory/2848-50-0x0000000006790000-0x00000000077C0000-memory.dmp	upx
behavioral2/memory/2848-47-0x0000000006790000-0x00000000077C0000-memory.dmp	upx
behavioral2/memory/2848-59-0x0000000006790000-0x00000000077C0000-memory.dmp	upx
behavioral2/memory/2848-68-0x0000000006790000-0x00000000077C0000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023b93-29.dat	nsis_installer_1
behavioral2/files/0x000a000000023b93-29.dat	nsis_installer_2
behavioral2/files/0x000a000000023b94-33.dat	nsis_installer_1
behavioral2/files/0x000a000000023b94-33.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
2848	Au_.exe
2848	Au_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 792	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	9
PID 4468 wrote to memory of 800	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	10
PID 4468 wrote to memory of 60	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	13
PID 4468 wrote to memory of 2964	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	51
PID 4468 wrote to memory of 3024	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	52
PID 4468 wrote to memory of 2636	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	53
PID 4468 wrote to memory of 3436	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	56
PID 4468 wrote to memory of 3564	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	57
PID 4468 wrote to memory of 3740	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	58
PID 4468 wrote to memory of 3840	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	59
PID 4468 wrote to memory of 3904	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	60
PID 4468 wrote to memory of 3992	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	61
PID 4468 wrote to memory of 4112	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	62
PID 4468 wrote to memory of 2316	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	64
PID 4468 wrote to memory of 1800	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	76
PID 4468 wrote to memory of 3116	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	81
PID 4468 wrote to memory of 2848	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	83
PID 4468 wrote to memory of 2848	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	83
PID 4468 wrote to memory of 2848	4468	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe	83
PID 2848 wrote to memory of 792	2848	Au_.exe	9
PID 2848 wrote to memory of 800	2848	Au_.exe	10
PID 2848 wrote to memory of 60	2848	Au_.exe	13
PID 2848 wrote to memory of 2964	2848	Au_.exe	51
PID 2848 wrote to memory of 3024	2848	Au_.exe	52
PID 2848 wrote to memory of 2636	2848	Au_.exe	53
PID 2848 wrote to memory of 3436	2848	Au_.exe	56
PID 2848 wrote to memory of 3564	2848	Au_.exe	57
PID 2848 wrote to memory of 3740	2848	Au_.exe	58
PID 2848 wrote to memory of 3840	2848	Au_.exe	59
PID 2848 wrote to memory of 3904	2848	Au_.exe	60
PID 2848 wrote to memory of 3992	2848	Au_.exe	61
PID 2848 wrote to memory of 4112	2848	Au_.exe	62
PID 2848 wrote to memory of 2316	2848	Au_.exe	64
PID 2848 wrote to memory of 1800	2848	Au_.exe	76

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:60

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3024

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2636

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - UAC bypass
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2316

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1800

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E5773C8_Rar\Au_.exe

Filesize
105KB

MD5
69e2b8ae22dc47742aa03b652ed86ddc

SHA1
855a6c671e914c8506556e25eb2485a54c88e37f

SHA256
d23e5f68811f78196840be19e53ae0e1eb50b05d3b69e175a151a7919b560358

SHA512
7d0e6ab6306bab9a501918ce2c8f9f9c28042413e2cd2763a80fe65c1a8eb82c9acbfc4a6b45334bec9a628abe80859418878d1071a1eb7e2c1582f08cff72e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7419.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
177KB

MD5
da2bb5747bdd2bacb8fa7eee350f74e7

SHA1
b12c7be6bfb1afa62466c9c9dba89810858f1cbd

SHA256
dcc5635f01c83c51b7882a03354cba49028d28d27b18f3d75baa29ce09bb050a

SHA512
1b2e5736a52ba254c00823acf1456e1273ddd5702f0a0ee564df8335f2664d5d4c1e0ba22bbbef400c31a15937221db80025517e5a2f7af8bb4c74079245cf45

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
c77dea89d363b17ef9d48b1aa4c5270b

SHA1
d34cd8a32b892a1f06c947df12b9a40f9f367972

SHA256
d764c39c2525ab30b0ab99730d246d142fff3856b159be47c59a9e0c32fe3c43

SHA512
a4eeaf0b64e5225a0110d5c899fa6ea2a19375d0f5b7ddcc09ae14a86522bc7982886f696662ca3e0ef0ff26e272011e68f3a12c112ed901ccb85d2b2cf15c35

Download Submit
memory/2848-53-0x0000000007A40000-0x0000000007A42000-memory.dmp

Filesize
8KB

Download
memory/2848-47-0x0000000006790000-0x00000000077C0000-memory.dmp

Filesize
16.2MB

Download
memory/2848-91-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2848-68-0x0000000006790000-0x00000000077C0000-memory.dmp

Filesize
16.2MB

Download
memory/2848-59-0x0000000006790000-0x00000000077C0000-memory.dmp

Filesize
16.2MB

Download
memory/2848-52-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/2848-58-0x0000000007A40000-0x0000000007A42000-memory.dmp

Filesize
8KB

Download
memory/2848-50-0x0000000006790000-0x00000000077C0000-memory.dmp

Filesize
16.2MB

Download
memory/2848-45-0x0000000006790000-0x00000000077C0000-memory.dmp

Filesize
16.2MB

Download
memory/4468-3-0x0000000002380000-0x00000000033B0000-memory.dmp

Filesize
16.2MB

Download
memory/4468-9-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/4468-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4468-31-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4468-11-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/4468-1-0x0000000002380000-0x00000000033B0000-memory.dmp

Filesize
16.2MB

Download
memory/4468-8-0x0000000002380000-0x00000000033B0000-memory.dmp

Filesize
16.2MB

Download
memory/4468-12-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/4468-10-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download