0f797ac7fe0550bdf4451ca16e230bf9af1bf7313f40de80d159fad7dc192d5d

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
Size

28KB
MD5

74dc858ce7c828ca004f7b688e4668bf
SHA1

567ea549e42fd54dcf65bcf2a61b2820664abdb3
SHA256

0f797ac7fe0550bdf4451ca16e230bf9af1bf7313f40de80d159fad7dc192d5d
SHA512

52320d65fa69c65894f44d73a727dc394ff4cdd3ad8e2ee0c44c45efa5e9734443d8ce4d9800eedec634b8d3744eb8a8973c47e209fe5f94a4e97e2ee0cd6dc6
SSDEEP

768:6H5weZuY7yQG3deWnbn8gXqr6dzqdB8XeO:YwQuY7yQqdem8g0yzqX8Xx

Score

8^/10

discovery evasion persistence privilege_escalation upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2952	netsh.exe
2556	netsh.exe
648	netsh.exe
2400	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000016d66-4.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
2640	sachostp.exe
1828	sachostw.exe
1900	sachostc.exe
2200	sachosts.exe

Loads dropped DLL 15 IoCs

pid	Process
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2556	netsh.exe
2192	WerFault.exe
648	netsh.exe
636	WerFault.exe
2476	svchost.exe
2476	svchost.exe
2400	netsh.exe
748	WerFault.exe
2816	svchost.exe
2816	svchost.exe
2588	svchost.exe
2588	svchost.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-1-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0009000000016d66-4.dat	upx
behavioral1/memory/2376-7-0x0000000000160000-0x000000000016A000-memory.dmp	upx
behavioral1/memory/2376-14-0x00000000001B0000-0x00000000001B7000-memory.dmp	upx
behavioral1/memory/2376-17-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2556-28-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2376-30-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/648-37-0x0000000000180000-0x000000000018A000-memory.dmp	upx
behavioral1/files/0x0008000000016d58-44.dat	upx
behavioral1/memory/2376-49-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-62-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-66-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-73-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-75-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-77-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-79-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-81-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2376-83-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HostSrv = "C:\\Windows\\sachostx.exe"	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcrl.dll	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sachostp.exe	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hard.lck	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sachostw.exe	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sachostc.exe	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sachosts.exe	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\attrib.ini	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2476	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	36
PID 2376 set thread context of 2816	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	41
PID 2376 set thread context of 2588	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	46

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sachostx.exe	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
File opened for modification	C:\Windows\sachostx.exe	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2192	2556	WerFault.exe	33
636	648	WerFault.exe	37
748	2400	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2952	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2952	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2952	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2952	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2640	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	32
PID 2376 wrote to memory of 2640	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	32
PID 2376 wrote to memory of 2640	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	32
PID 2376 wrote to memory of 2640	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	32
PID 2376 wrote to memory of 2556	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2556	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2556	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2556	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2192	2556	netsh.exe	35
PID 2556 wrote to memory of 2192	2556	netsh.exe	35
PID 2556 wrote to memory of 2192	2556	netsh.exe	35
PID 2556 wrote to memory of 2192	2556	netsh.exe	35
PID 2376 wrote to memory of 2476	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	36
PID 2376 wrote to memory of 2476	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	36
PID 2376 wrote to memory of 2476	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	36
PID 2376 wrote to memory of 2476	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	36
PID 2376 wrote to memory of 2476	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	36
PID 2376 wrote to memory of 648	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	37
PID 2376 wrote to memory of 648	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	37
PID 2376 wrote to memory of 648	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	37
PID 2376 wrote to memory of 648	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	37
PID 648 wrote to memory of 636	648	netsh.exe	39
PID 648 wrote to memory of 636	648	netsh.exe	39
PID 648 wrote to memory of 636	648	netsh.exe	39
PID 648 wrote to memory of 636	648	netsh.exe	39
PID 2476 wrote to memory of 1828	2476	svchost.exe	40
PID 2476 wrote to memory of 1828	2476	svchost.exe	40
PID 2476 wrote to memory of 1828	2476	svchost.exe	40
PID 2476 wrote to memory of 1828	2476	svchost.exe	40
PID 2376 wrote to memory of 2816	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	41
PID 2376 wrote to memory of 2816	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	41
PID 2376 wrote to memory of 2816	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	41
PID 2376 wrote to memory of 2816	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	41
PID 2376 wrote to memory of 2816	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	41
PID 2376 wrote to memory of 2400	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	42
PID 2376 wrote to memory of 2400	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	42
PID 2376 wrote to memory of 2400	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	42
PID 2376 wrote to memory of 2400	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	42
PID 2400 wrote to memory of 748	2400	netsh.exe	44
PID 2400 wrote to memory of 748	2400	netsh.exe	44
PID 2400 wrote to memory of 748	2400	netsh.exe	44
PID 2400 wrote to memory of 748	2400	netsh.exe	44
PID 2816 wrote to memory of 1900	2816	svchost.exe	45
PID 2816 wrote to memory of 1900	2816	svchost.exe	45
PID 2816 wrote to memory of 1900	2816	svchost.exe	45
PID 2816 wrote to memory of 1900	2816	svchost.exe	45
PID 2376 wrote to memory of 2588	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	46
PID 2376 wrote to memory of 2588	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	46
PID 2376 wrote to memory of 2588	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	46
PID 2376 wrote to memory of 2588	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	46
PID 2376 wrote to memory of 2588	2376	74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe	46
PID 2588 wrote to memory of 2200	2588	svchost.exe	47
PID 2588 wrote to memory of 2200	2588	svchost.exe	47
PID 2588 wrote to memory of 2200	2588	svchost.exe	47
PID 2588 wrote to memory of 2200	2588	svchost.exe	47

C:\Users\Admin\AppData\Local\Temp\74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set allowedprogram "C:\Users\Admin\AppData\Local\Temp\74dc858ce7c828ca004f7b688e4668bf_JaffaCakes118.exe" enable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Windows\SysWOW64\sachostp.exe
  C:\Windows\system32\sachostp.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set allowedprogram "C:\Windows\system32\sachostw.exe" enable
  2⤵
  - Modifies Windows Firewall
  - Loads dropped DLL
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 772
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2192
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\sachostw.exe
    C:\Windows\system32\sachostw.exe
    3⤵
    - Executes dropped EXE
    PID:1828
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set allowedprogram "C:\Windows\system32\sachostc.exe" enable
  2⤵
  - Modifies Windows Firewall
  - Loads dropped DLL
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 772
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:636
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\sachostc.exe
    C:\Windows\system32\sachostc.exe 58800
    3⤵
    - Executes dropped EXE
    PID:1900
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set allowedprogram "C:\Windows\system32\sachosts.exe" enable
  2⤵
  - Modifies Windows Firewall
  - Loads dropped DLL
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 772
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:748
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\sachosts.exe
    C:\Windows\system32\sachosts.exe 54930
    3⤵
    - Executes dropped EXE
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sachostx.exe

Filesize
28KB

MD5
74dc858ce7c828ca004f7b688e4668bf

SHA1
567ea549e42fd54dcf65bcf2a61b2820664abdb3

SHA256
0f797ac7fe0550bdf4451ca16e230bf9af1bf7313f40de80d159fad7dc192d5d

SHA512
52320d65fa69c65894f44d73a727dc394ff4cdd3ad8e2ee0c44c45efa5e9734443d8ce4d9800eedec634b8d3744eb8a8973c47e209fe5f94a4e97e2ee0cd6dc6

Download Submit
\Windows\SysWOW64\msvcrl.dll

Filesize
5KB

MD5
4478971be78b4164b86168adb94b134a

SHA1
a0064b7d43b04c70e604df4fbd34ff605e9d1e01

SHA256
e17f4c06e337582133e64a49efc53c4bf9ea1573e43b00e34add5fbe42cb3751

SHA512
0510cf602fc7e558aed375302d5c9eaafc3f4419692e69d39159293161b573bb942375334ddce87faf8bd6f9ca7bbf9d6bfbb1063c0ca724c1f83967d9f9bc85

Download Submit
\Windows\SysWOW64\sachostc.exe

Filesize
4KB

MD5
0a44f42f9302fc523033351276b0ae04

SHA1
9e3d76be7c48c026685382721f3b49b090dad93b

SHA256
33065854692ca2f68dc42d9d3fa105d9287c0d4b8f8129b6c45f953af7150234

SHA512
3e305863f07aad5d07658bcdc6b3fcb17e3f32099d990bd08d98790741a137c34000c2a351b40b2093879b19cfb7ff99cc5c080f263ab636134c845ce907782e

Download Submit
\Windows\SysWOW64\sachostp.exe

Filesize
7KB

MD5
944e3fe77b60e7caf4a5a1600b3c47c7

SHA1
f36a1018d7abc9ad241513a7b87b5d1003b93ffe

SHA256
c9790a3e417a4dafe2a3f3c0b87664f1fe8ea934d7ff05ded4fbde7f7e3564b6

SHA512
d02353d7efa31862b26c68876bb4b462d7ce91827ee3ba0f623435a8d33db49c6f8aad562d1a3fc9f7c5071dae53536f99c7f81d7e82d1593e993b4db130dc2f

Download Submit
\Windows\SysWOW64\sachosts.exe

Filesize
4KB

MD5
7b96edfe3953e8ec9f17b4c4dbf7125c

SHA1
8d9b22781233b3a34062a8d71cf6da4638d17421

SHA256
4bd8a40b18410e74facd26e201a96197d30920ea273aac009aadad001d7009cf

SHA512
7d63c1ec12c56e051d55bf1f86976da02e58176a975b947c8e7bd185644883aa698cc8e82f38a86d6e05ff2cc6922ce38edc543b58430779a99aaad31e28e9af

Download Submit
\Windows\SysWOW64\sachostw.exe

Filesize
8KB

MD5
184c0af556f26ae5ec513a2995194f5a

SHA1
340242e731485180b603fe3df6651ccab03bace8

SHA256
7ddf60e8e78eb566321e22f7bfe0583e85c2022f8c69c153cd5108650921069e

SHA512
a7cefa8f2c8d31e1da005ca7e24d16dffd7f555fbfc79d4f49e0e8b2ff8e8fe3f071c81546f5b65924a0144cd80a889b0d3f2ada56d2ccd9bc42b6abd0aea945

Download Submit
memory/648-37-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1828-48-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1828-43-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1900-61-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2376-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-14-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2376-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-7-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2376-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-15-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2376-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2376-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2476-35-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2476-32-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2556-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2588-70-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2640-18-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2816-58-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download