5e2feff937da52c7caa0ee241a71d7d032866ebab913e3fd83028051a020c9ad

Analysis

max time kernel
90s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
Size

1.4MB
MD5

5d33584d5dfa1eb57d4b5915d7b5c86e
SHA1

1333239d95ae4eb3d95b8ef1a77a67eaa373cd88
SHA256

5e2feff937da52c7caa0ee241a71d7d032866ebab913e3fd83028051a020c9ad
SHA512

560e887867c56bf53987bee5738fe659d21869ee4f9b41c352b28403e4ea5dfa007ccebcb6ccff329e9c5adf396976da8bfe4945d656e3c27c9bca176f71fc86
SSDEEP

24576:G1e9yBNlug9312KoVPsT6npmwhw042QgWQqY:h9sNQSYKoVkT6n4whwL2QgWi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2596	Chrome 5.exe
2576	3002.exe
2068	dcc7975c8a99514da06323f0994cd79b.exe
2724	jhuuee.exe
2780	3002.exe
2932	services64.exe
844	sihost64.exe

Loads dropped DLL 7 IoCs

pid	Process
1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
2576	3002.exe
2596	Chrome 5.exe
2932	services64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2756	1804	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3002.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1104	schtasks.exe
2340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	Chrome 5.exe
2932	services64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	dcc7975c8a99514da06323f0994cd79b.exe
Token: SeDebugPrivilege	2596	Chrome 5.exe
Token: SeDebugPrivilege	2932	services64.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2596	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2596	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2596	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2596	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2576	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	31
PID 1804 wrote to memory of 2576	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	31
PID 1804 wrote to memory of 2576	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	31
PID 1804 wrote to memory of 2576	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	31
PID 1804 wrote to memory of 2068	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	33
PID 1804 wrote to memory of 2068	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	33
PID 1804 wrote to memory of 2068	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	33
PID 1804 wrote to memory of 2068	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	33
PID 2576 wrote to memory of 2780	2576	3002.exe	35
PID 2576 wrote to memory of 2780	2576	3002.exe	35
PID 2576 wrote to memory of 2780	2576	3002.exe	35
PID 2576 wrote to memory of 2780	2576	3002.exe	35
PID 1804 wrote to memory of 2756	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	37
PID 1804 wrote to memory of 2756	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	37
PID 1804 wrote to memory of 2756	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	37
PID 1804 wrote to memory of 2756	1804	5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe	37
PID 2596 wrote to memory of 1432	2596	Chrome 5.exe	39
PID 2596 wrote to memory of 1432	2596	Chrome 5.exe	39
PID 2596 wrote to memory of 1432	2596	Chrome 5.exe	39
PID 1432 wrote to memory of 1104	1432	cmd.exe	41
PID 1432 wrote to memory of 1104	1432	cmd.exe	41
PID 1432 wrote to memory of 1104	1432	cmd.exe	41
PID 2596 wrote to memory of 2932	2596	Chrome 5.exe	42
PID 2596 wrote to memory of 2932	2596	Chrome 5.exe	42
PID 2596 wrote to memory of 2932	2596	Chrome 5.exe	42
PID 2932 wrote to memory of 2152	2932	services64.exe	43
PID 2932 wrote to memory of 2152	2932	services64.exe	43
PID 2932 wrote to memory of 2152	2932	services64.exe	43
PID 2932 wrote to memory of 844	2932	services64.exe	45
PID 2932 wrote to memory of 844	2932	services64.exe	45
PID 2932 wrote to memory of 844	2932	services64.exe	45
PID 2152 wrote to memory of 2340	2152	cmd.exe	46
PID 2152 wrote to memory of 2340	2152	cmd.exe	46
PID 2152 wrote to memory of 2340	2152	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d33584d5dfa1eb57d4b5915d7b5c86e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1104
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:844
- C:\Users\Admin\AppData\Local\Temp\3002.exe
  "C:\Users\Admin\AppData\Local\Temp\3002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe
  "C:\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 956
  2⤵
  - Program crash
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400225b3aa92bd3a59fe77d5f2325776

SHA1
d7215664c28ddb4851e6f404479d0fe2c49e37f8

SHA256
0e3edc6039ee79e3f3560c5528703e819db413cc16cf1131a0032ecb2da82072

SHA512
b33b5dbab6dab9b9b5ad65e85ba2dc3337b188380b2d18fdc0608e5f95d498adb155b7e82b959693fd67f9f1201e2199528c632d7bcd8f3f01a55be909d28204

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD72F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD79F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
900KB

MD5
a3e75b6fda5826af709b5e488e7cd9e7

SHA1
2fce3251b18ff02a06083aa8a037def64a604a78

SHA256
8fa23d5fe37e7e0aed12a8917dfb43c186d26771a70c3afcc2f8a540df7b1b46

SHA512
6d1f37799f510a0e7fc6bf19a13425aa1225754d654dbc20c84a147161c03d63d5acf9cb7603c22c7533d5ab060ddc12c4c45d4e238f4368e8504514416efc41

Download Submit
\Users\Admin\AppData\Local\Temp\3002.exe

Filesize
56KB

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
\Users\Admin\AppData\Local\Temp\dcc7975c8a99514da06323f0994cd79b.exe

Filesize
8KB

MD5
b4d6498c4aecc1674c710ffd3708f97d

SHA1
fa1b3fdea4780cf885a79c286a9cf99316a91bd0

SHA256
9641cd2b09c5c44cf32f480d8eaf99bc756623a4c7bf93f67fbc0f8f789cac17

SHA512
d0d21c7bd181dbeaa3214842206fa870852851a42819e9ce46b1a4dc3b1f0d7c18a06303340e081900f0270fd37be9e4fa9378c7e4f574e3a7803d25169e8333

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
memory/844-49-0x000000013F7B0000-0x000000013F7B6000-memory.dmp

Filesize
24KB

Download
memory/1804-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/1804-1-0x0000000000010000-0x0000000000186000-memory.dmp

Filesize
1.5MB

Download
memory/2068-32-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/2596-33-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2596-34-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/2596-31-0x000000013F250000-0x000000013F260000-memory.dmp

Filesize
64KB

Download
memory/2596-24-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2932-41-0x000000013FFB0000-0x000000013FFC0000-memory.dmp

Filesize
64KB

Download