d65d4e139df9c545dffc30e140a60cdce59af0e05a68deba1887abcd5fb8e8ce

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
Size

108KB
MD5

5e24f784ead0aacf1a086123d366de4c
SHA1

a92fb961ce46c15870177a3b175fa849be0bf11c
SHA256

d65d4e139df9c545dffc30e140a60cdce59af0e05a68deba1887abcd5fb8e8ce
SHA512

34186500b29d06dad5465d633d201b6e540c4a1b0fd9a7ea163329f219be4c892b64c3a65d6e77fba5b64d9050ba29c57bd72f07a081c456b2b830aa644e2014
SSDEEP

768:w7rgnvQjX4KPcAmigvO2B/fJPSysbX2uraeVE65ITnOdqv/q7rgnvQjXMf1DYM8k:w7rA6XbBy8hVrISkv/q7rA6XM1OVf

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 60 IoCs

pid	Process
2640	net.net
2680	net.net
2992	net.net
2412	net.net
1076	net.net
1200	net.net
2476	net.net
1616	net.net
2208	net.net
1440	net.net
884	net.net
1600	net.net
3012	net.net
2792	net.net
1324	net.net
2572	net.net
2336	net.net
2092	net.net
2920	net.net
684	net.net
1560	net.net
3040	net.net
2896	net.net
2596	net.net
2036	net.net
2536	net.net
2680	net.net
2060	net.net
852	net.net
2760	net.net
2100	net.net
2396	net.net
2476	net.net
1572	net.net
1792	net.net
2188	net.net
1800	net.net
1636	net.net
2324	net.net
2796	net.net
1232	net.net
2564	net.net
2988	net.net
2836	net.net
2864	net.net
1852	net.net
1788	net.net
2268	net.net
2232	net.net
1176	net.net
2128	net.net
1012	net.net
1080	net.net
2600	net.net
836	net.net
2196	net.net
2700	net.net
2680	net.net
1528	net.net
2000	net.net

Loads dropped DLL 64 IoCs

pid	Process
2672	cmd.exe
2672	cmd.exe
568	cmd.exe
568	cmd.exe
2984	cmd.exe
2984	cmd.exe
1848	cmd.exe
1848	cmd.exe
2760	cmd.exe
2760	cmd.exe
2612	cmd.exe
2612	cmd.exe
1980	cmd.exe
1980	cmd.exe
1620	cmd.exe
1620	cmd.exe
2368	cmd.exe
2368	cmd.exe
2236	cmd.exe
2236	cmd.exe
1800	cmd.exe
1800	cmd.exe
1576	cmd.exe
1576	cmd.exe
3060	cmd.exe
3060	cmd.exe
2652	cmd.exe
2652	cmd.exe
560	cmd.exe
560	cmd.exe
2776	cmd.exe
2776	cmd.exe
2584	cmd.exe
2584	cmd.exe
1172	cmd.exe
1172	cmd.exe
2108	cmd.exe
2108	cmd.exe
1296	cmd.exe
1296	cmd.exe
980	cmd.exe
980	cmd.exe
1976	cmd.exe
1976	cmd.exe
1744	cmd.exe
1744	cmd.exe
884	cmd.exe
884	cmd.exe
2360	cmd.exe
2360	cmd.exe
3028	cmd.exe
3028	cmd.exe
2560	cmd.exe
2560	cmd.exe
2544	cmd.exe
2544	cmd.exe
2492	cmd.exe
2492	cmd.exe
1524	cmd.exe
1524	cmd.exe
924	cmd.exe
924	cmd.exe
1956	cmd.exe
1956	cmd.exe

Checks whether UAC is enabled 1 TTPs 61 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\net.net	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\net.net	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe

Runs ping.exe 1 TTPs 61 IoCs

Remote System Discovery

T1018

pid	Process
560	PING.EXE
2884	PING.EXE
2560	PING.EXE
1716	PING.EXE
1496	PING.EXE
2840	PING.EXE
2684	PING.EXE
944	PING.EXE
468	PING.EXE
2840	PING.EXE
1088	PING.EXE
3056	PING.EXE
1748	PING.EXE
2852	PING.EXE
468	PING.EXE
1808	PING.EXE
1492	PING.EXE
2440	PING.EXE
2296	PING.EXE
2660	PING.EXE
2068	PING.EXE
1912	PING.EXE
2672	PING.EXE
2220	PING.EXE
2120	PING.EXE
3008	PING.EXE
2764	PING.EXE
612	PING.EXE
800	PING.EXE
2776	PING.EXE
876	PING.EXE
2900	PING.EXE
3020	PING.EXE
2736	PING.EXE
1888	PING.EXE
2044	PING.EXE
2816	PING.EXE
1856	PING.EXE
2780	PING.EXE
1292	PING.EXE
2532	PING.EXE
1484	PING.EXE
1868	PING.EXE
2968	PING.EXE
2576	PING.EXE
1936	PING.EXE
2012	PING.EXE
2116	PING.EXE
2096	PING.EXE
608	PING.EXE
2004	PING.EXE
1928	PING.EXE
3056	PING.EXE
1512	PING.EXE
1652	PING.EXE
3068	PING.EXE
2928	PING.EXE
3064	PING.EXE
2464	PING.EXE
2276	PING.EXE
1612	PING.EXE

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
2640	net.net
2680	net.net
2992	net.net
2412	net.net
1076	net.net
1200	net.net
2476	net.net
1616	net.net
2208	net.net
1440	net.net
884	net.net
1600	net.net
3012	net.net
2792	net.net
1324	net.net
2572	net.net
2336	net.net
2092	net.net
2920	net.net
684	net.net
1560	net.net
3040	net.net
2896	net.net
2596	net.net
2036	net.net
2536	net.net
2680	net.net
2060	net.net
852	net.net
2760	net.net
2100	net.net
2396	net.net
2476	net.net
1572	net.net
1792	net.net
2188	net.net
1800	net.net
1636	net.net
2324	net.net
2796	net.net
1232	net.net
2564	net.net
2988	net.net
2836	net.net
2864	net.net
1852	net.net
1788	net.net
2268	net.net
2232	net.net
1176	net.net
2128	net.net
1012	net.net
1080	net.net
2600	net.net
836	net.net
2196	net.net
2700	net.net
2680	net.net
1528	net.net
2000	net.net

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
2640	net.net
2640	net.net
2640	net.net
2680	net.net
2680	net.net
2680	net.net
2992	net.net
2992	net.net
2992	net.net
2412	net.net
2412	net.net
2412	net.net
1076	net.net
1076	net.net
1076	net.net
1200	net.net
1200	net.net
1200	net.net
2476	net.net
2476	net.net
2476	net.net
1616	net.net
1616	net.net
1616	net.net
2208	net.net
2208	net.net
2208	net.net
1440	net.net
1440	net.net
1440	net.net
884	net.net
884	net.net
884	net.net
1600	net.net
1600	net.net
1600	net.net
3012	net.net
3012	net.net
3012	net.net
2792	net.net
2792	net.net
2792	net.net
1324	net.net
1324	net.net
1324	net.net
2572	net.net
2572	net.net
2572	net.net
2336	net.net
2336	net.net
2336	net.net
2092	net.net
2092	net.net
2092	net.net
2920	net.net
2920	net.net
2920	net.net
684	net.net
684	net.net
684	net.net
1560	net.net

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3012	1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe	31
PID 1876 wrote to memory of 3012	1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe	31
PID 1876 wrote to memory of 3012	1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe	31
PID 1876 wrote to memory of 3012	1876	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe	31
PID 3012 wrote to memory of 3056	3012	cmd.exe	33
PID 3012 wrote to memory of 3056	3012	cmd.exe	33
PID 3012 wrote to memory of 3056	3012	cmd.exe	33
PID 3012 wrote to memory of 3056	3012	cmd.exe	33
PID 3012 wrote to memory of 2672	3012	cmd.exe	34
PID 3012 wrote to memory of 2672	3012	cmd.exe	34
PID 3012 wrote to memory of 2672	3012	cmd.exe	34
PID 3012 wrote to memory of 2672	3012	cmd.exe	34
PID 2672 wrote to memory of 2640	2672	cmd.exe	35
PID 2672 wrote to memory of 2640	2672	cmd.exe	35
PID 2672 wrote to memory of 2640	2672	cmd.exe	35
PID 2672 wrote to memory of 2640	2672	cmd.exe	35
PID 2640 wrote to memory of 3064	2640	net.net	36
PID 2640 wrote to memory of 3064	2640	net.net	36
PID 2640 wrote to memory of 3064	2640	net.net	36
PID 2640 wrote to memory of 3064	2640	net.net	36
PID 3064 wrote to memory of 2840	3064	cmd.exe	38
PID 3064 wrote to memory of 2840	3064	cmd.exe	38
PID 3064 wrote to memory of 2840	3064	cmd.exe	38
PID 3064 wrote to memory of 2840	3064	cmd.exe	38
PID 3064 wrote to memory of 568	3064	cmd.exe	39
PID 3064 wrote to memory of 568	3064	cmd.exe	39
PID 3064 wrote to memory of 568	3064	cmd.exe	39
PID 3064 wrote to memory of 568	3064	cmd.exe	39
PID 568 wrote to memory of 2680	568	cmd.exe	40
PID 568 wrote to memory of 2680	568	cmd.exe	40
PID 568 wrote to memory of 2680	568	cmd.exe	40
PID 568 wrote to memory of 2680	568	cmd.exe	40
PID 2680 wrote to memory of 2532	2680	net.net	41
PID 2680 wrote to memory of 2532	2680	net.net	41
PID 2680 wrote to memory of 2532	2680	net.net	41
PID 2680 wrote to memory of 2532	2680	net.net	41
PID 2532 wrote to memory of 560	2532	cmd.exe	43
PID 2532 wrote to memory of 560	2532	cmd.exe	43
PID 2532 wrote to memory of 560	2532	cmd.exe	43
PID 2532 wrote to memory of 560	2532	cmd.exe	43
PID 2532 wrote to memory of 2984	2532	cmd.exe	44
PID 2532 wrote to memory of 2984	2532	cmd.exe	44
PID 2532 wrote to memory of 2984	2532	cmd.exe	44
PID 2532 wrote to memory of 2984	2532	cmd.exe	44
PID 2984 wrote to memory of 2992	2984	cmd.exe	45
PID 2984 wrote to memory of 2992	2984	cmd.exe	45
PID 2984 wrote to memory of 2992	2984	cmd.exe	45
PID 2984 wrote to memory of 2992	2984	cmd.exe	45
PID 2992 wrote to memory of 2496	2992	net.net	46
PID 2992 wrote to memory of 2496	2992	net.net	46
PID 2992 wrote to memory of 2496	2992	net.net	46
PID 2992 wrote to memory of 2496	2992	net.net	46
PID 2496 wrote to memory of 2764	2496	cmd.exe	48
PID 2496 wrote to memory of 2764	2496	cmd.exe	48
PID 2496 wrote to memory of 2764	2496	cmd.exe	48
PID 2496 wrote to memory of 2764	2496	cmd.exe	48
PID 2496 wrote to memory of 1848	2496	cmd.exe	49
PID 2496 wrote to memory of 1848	2496	cmd.exe	49
PID 2496 wrote to memory of 1848	2496	cmd.exe	49
PID 2496 wrote to memory of 1848	2496	cmd.exe	49
PID 1848 wrote to memory of 2412	1848	cmd.exe	50
PID 1848 wrote to memory of 2412	1848	cmd.exe	50
PID 1848 wrote to memory of 2412	1848	cmd.exe	50
PID 1848 wrote to memory of 2412	1848	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start "" "C:\Windows\system32\net.net"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\net.net
      "C:\Windows\system32\net.net"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        6⤵
        Runs ping.exe
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        9⤵
        Runs ping.exe
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        12⤵
        Runs ping.exe
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        14⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        15⤵
        Runs ping.exe
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        15⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        16⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        17⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        18⤵
        Runs ping.exe
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        18⤵
        Loads dropped DLL
        
        PID:2612
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        19⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        20⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        21⤵
        Runs ping.exe
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        21⤵
        Loads dropped DLL
        
        PID:1980
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        22⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        23⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        24⤵
        Runs ping.exe
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        24⤵
        Loads dropped DLL
        
        PID:1620
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        26⤵
        
        PID:864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        27⤵
        Runs ping.exe
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        27⤵
        Loads dropped DLL
        
        PID:2368
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        28⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        29⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        30⤵
        Runs ping.exe
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        30⤵
        Loads dropped DLL
        
        PID:2236
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        31⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        32⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        33⤵
        Runs ping.exe
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        33⤵
        Loads dropped DLL
        
        PID:1800
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        34⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        35⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        36⤵
        Runs ping.exe
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        36⤵
        Loads dropped DLL
        
        PID:1576
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        37⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        38⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        39⤵
        Runs ping.exe
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        39⤵
        Loads dropped DLL
        
        PID:3060
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        40⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        41⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        42⤵
        Runs ping.exe
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        42⤵
        Loads dropped DLL
        
        PID:2652
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        43⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        44⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        45⤵
        Runs ping.exe
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        45⤵
        Loads dropped DLL
        
        PID:560
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        46⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        47⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        48⤵
        Runs ping.exe
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        48⤵
        Loads dropped DLL
        
        PID:2776
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        50⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        51⤵
        Runs ping.exe
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        51⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        52⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        53⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        54⤵
        Runs ping.exe
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        54⤵
        Loads dropped DLL
        
        PID:1172
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        55⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        56⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        57⤵
        Runs ping.exe
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        57⤵
        Loads dropped DLL
        
        PID:2108
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        58⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        59⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        60⤵
        Runs ping.exe
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        60⤵
        Loads dropped DLL
        
        PID:1296
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        62⤵
        
        PID:668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        63⤵
        Runs ping.exe
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        63⤵
        Loads dropped DLL
        
        PID:980
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        64⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        65⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        66⤵
        Runs ping.exe
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        66⤵
        Loads dropped DLL
        
        PID:1976
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        67⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        68⤵
        
        PID:952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        69⤵
        Runs ping.exe
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        69⤵
        Loads dropped DLL
        
        PID:1744
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        70⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        71⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        72⤵
        Runs ping.exe
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        72⤵
        Loads dropped DLL
        
        PID:884
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        73⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        74⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        75⤵
        Runs ping.exe
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        75⤵
        Loads dropped DLL
        
        PID:2360
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        76⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        77⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        78⤵
        Runs ping.exe
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        78⤵
        Loads dropped DLL
        
        PID:3028
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        79⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        80⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        81⤵
        Runs ping.exe
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        81⤵
        Loads dropped DLL
        
        PID:2560
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        82⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        83⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        84⤵
        Runs ping.exe
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        84⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        85⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        86⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        87⤵
        Runs ping.exe
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        87⤵
        Loads dropped DLL
        
        PID:2492
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        88⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        89⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        90⤵
        Runs ping.exe
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        90⤵
        Loads dropped DLL
        
        PID:1524
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        91⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        92⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        93⤵
        Runs ping.exe
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        93⤵
        Loads dropped DLL
        
        PID:924
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        94⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        95⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        96⤵
        Runs ping.exe
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        96⤵
        Loads dropped DLL
        
        PID:1956
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        97⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        98⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        99⤵
        Runs ping.exe
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        99⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        100⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        101⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        102⤵
        Runs ping.exe
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        102⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        103⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        104⤵
        
        PID:556
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        105⤵
        Runs ping.exe
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        105⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        106⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        107⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        108⤵
        Runs ping.exe
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        108⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        109⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        110⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        111⤵
        Runs ping.exe
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        111⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        112⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        113⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        114⤵
        Runs ping.exe
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        114⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        115⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        116⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        117⤵
        Runs ping.exe
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        117⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        118⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        119⤵
        
        PID:836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        120⤵
        Runs ping.exe
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        120⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        121⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        122⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        123⤵
        Runs ping.exe
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        123⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        124⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        125⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        126⤵
        Runs ping.exe
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        126⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        127⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        128⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        129⤵
        Runs ping.exe
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        129⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        130⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        131⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        132⤵
        Runs ping.exe
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        132⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        133⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        134⤵
        
        PID:364
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        135⤵
        Runs ping.exe
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        135⤵
        
        PID:592
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        136⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        137⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        138⤵
        Runs ping.exe
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        138⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        139⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        140⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        141⤵
        Runs ping.exe
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        141⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        142⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        143⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        144⤵
        Runs ping.exe
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        144⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        145⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        146⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        147⤵
        Runs ping.exe
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        147⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        148⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        149⤵
        
        PID:980
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        150⤵
        Runs ping.exe
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        150⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        151⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        152⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        153⤵
        Runs ping.exe
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        153⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        154⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        155⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        156⤵
        Runs ping.exe
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        156⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        157⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        158⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        159⤵
        Runs ping.exe
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        159⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        160⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        161⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        162⤵
        Runs ping.exe
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        162⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        163⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        164⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        165⤵
        Runs ping.exe
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        165⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        166⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        167⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        168⤵
        Runs ping.exe
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        168⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        169⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        170⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        171⤵
        Runs ping.exe
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        171⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        172⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        173⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        174⤵
        Runs ping.exe
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        174⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        175⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        176⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        177⤵
        Runs ping.exe
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        177⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        178⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        179⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        180⤵
        Runs ping.exe
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        180⤵
        
        PID:364
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        181⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        182⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        183⤵
        Runs ping.exe
        
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\net.net

Filesize
108KB

MD5
5e24f784ead0aacf1a086123d366de4c

SHA1
a92fb961ce46c15870177a3b175fa849be0bf11c

SHA256
d65d4e139df9c545dffc30e140a60cdce59af0e05a68deba1887abcd5fb8e8ce

SHA512
34186500b29d06dad5465d633d201b6e540c4a1b0fd9a7ea163329f219be4c892b64c3a65d6e77fba5b64d9050ba29c57bd72f07a081c456b2b830aa644e2014

Download Submit
memory/364-240-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/364-239-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/568-15-0x0000000000300000-0x000000000031B000-memory.dmp

Filesize
108KB

Download
memory/980-139-0x0000000000270000-0x000000000028B000-memory.dmp

Filesize
108KB

Download
memory/1076-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1200-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1296-133-0x0000000000140000-0x000000000015B000-memory.dmp

Filesize
108KB

Download
memory/1296-132-0x0000000000140000-0x000000000015B000-memory.dmp

Filesize
108KB

Download
memory/1440-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1528-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1616-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-207-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/1744-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1788-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-29-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/1848-30-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/1876-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1876-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-155-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2092-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2092-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-172-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2108-126-0x0000000000160000-0x000000000017B000-memory.dmp

Filesize
108KB

Download
memory/2188-186-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-67-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2336-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2476-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2492-165-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/2536-159-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2612-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2652-95-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2652-93-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2680-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2680-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2696-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2836-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-206-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2896-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3028-156-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/3060-86-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/3060-85-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download