d65d4e139df9c545dffc30e140a60cdce59af0e05a68deba1887abcd5fb8e8ce

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
Size

108KB
MD5

5e24f784ead0aacf1a086123d366de4c
SHA1

a92fb961ce46c15870177a3b175fa849be0bf11c
SHA256

d65d4e139df9c545dffc30e140a60cdce59af0e05a68deba1887abcd5fb8e8ce
SHA512

34186500b29d06dad5465d633d201b6e540c4a1b0fd9a7ea163329f219be4c892b64c3a65d6e77fba5b64d9050ba29c57bd72f07a081c456b2b830aa644e2014
SSDEEP

768:w7rgnvQjX4KPcAmigvO2B/fJPSysbX2uraeVE65ITnOdqv/q7rgnvQjXMf1DYM8k:w7rA6XbBy8hVrISkv/q7rA6XM1OVf

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4604	net.net
4060	net.net
2220	net.net
3520	net.net
1680	net.net
3696	net.net
460	net.net
620	net.net
3988	net.net
184	net.net
3260	net.net
1828	net.net
1800	net.net
4928	net.net
1440	net.net
1512	net.net
3180	net.net
2240	net.net
4416	net.net
4008	net.net
4804	net.net
3612	net.net
212	net.net
1132	net.net
384	net.net
1856	net.net
1852	net.net
2372	net.net
2456	net.net
4000	net.net
1724	net.net
3512	net.net
4828	net.net
3848	net.net
1752	net.net
4288	net.net
2816	net.net
3328	net.net
3400	net.net
4528	net.net
4816	net.net
1328	net.net
4448	net.net
2964	net.net
4936	net.net
3336	net.net
2152	net.net
1876	net.net
3016	net.net
2288	net.net
3932	net.net
2720	net.net
2404	net.net
692	net.net
636	net.net
4976	net.net
2580	net.net
2900	net.net
3068	net.net
4008	net.net
2456	net.net
2760	net.net
3372	net.net
744	net.net

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\net.net	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\net.net	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
4816	PING.EXE
3032	PING.EXE
464	PING.EXE
224	PING.EXE
1756	PING.EXE
4812	PING.EXE
1496	PING.EXE
3608	PING.EXE
428	PING.EXE
1892	PING.EXE
3588	PING.EXE
392	PING.EXE
2096	PING.EXE
4792	PING.EXE
5092	PING.EXE
2692	PING.EXE
4804	PING.EXE
1136	PING.EXE
4528	PING.EXE
3740	PING.EXE
736	PING.EXE
804	PING.EXE
3360	PING.EXE
4888	PING.EXE
2196	PING.EXE
2948	PING.EXE
2624	PING.EXE
4132	PING.EXE
4008	PING.EXE
1356	PING.EXE
4436	PING.EXE
2080	PING.EXE
4596	PING.EXE
2712	PING.EXE
4576	PING.EXE
3636	PING.EXE
4328	PING.EXE
3744	PING.EXE
4936	PING.EXE
1524	PING.EXE
3392	PING.EXE
1564	PING.EXE
4988	PING.EXE
3080	PING.EXE
4692	PING.EXE
2140	PING.EXE
3360	PING.EXE
1652	PING.EXE
900	PING.EXE
1888	PING.EXE
3940	PING.EXE
3136	PING.EXE
1828	PING.EXE
756	PING.EXE
4604	PING.EXE
392	PING.EXE
4456	PING.EXE
4416	PING.EXE
2872	PING.EXE
2664	PING.EXE
5052	PING.EXE
4976	PING.EXE
2456	PING.EXE
2904	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
4604	net.net
4604	net.net
4060	net.net
4060	net.net
2220	net.net
2220	net.net
3520	net.net
3520	net.net
1680	net.net
1680	net.net
3696	net.net
3696	net.net
460	net.net
460	net.net
620	net.net
620	net.net
3988	net.net
3988	net.net
184	net.net
184	net.net
3260	net.net
3260	net.net
1828	net.net
1828	net.net
1800	net.net
1800	net.net
4928	net.net
4928	net.net
1440	net.net
1440	net.net
1512	net.net
1512	net.net
3180	net.net
3180	net.net
2240	net.net
2240	net.net
4416	net.net
4416	net.net
4008	net.net
4008	net.net
4804	net.net
4804	net.net
3612	net.net
3612	net.net
212	net.net
212	net.net
1132	net.net
1132	net.net
384	net.net
384	net.net
1856	net.net
1856	net.net
1852	net.net
1852	net.net
2372	net.net
2372	net.net
2456	net.net
2456	net.net
4000	net.net
4000	net.net
1724	net.net
1724	net.net

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
4604	net.net
4604	net.net
4604	net.net
4060	net.net
4060	net.net
4060	net.net
2220	net.net
2220	net.net
2220	net.net
3520	net.net
3520	net.net
3520	net.net
1680	net.net
1680	net.net
1680	net.net
3696	net.net
3696	net.net
3696	net.net
460	net.net
460	net.net
460	net.net
620	net.net
620	net.net
620	net.net
3988	net.net
3988	net.net
3988	net.net
184	net.net
184	net.net
184	net.net
3260	net.net
3260	net.net
3260	net.net
1828	net.net
1828	net.net
1828	net.net
1800	net.net
1800	net.net
1800	net.net
4928	net.net
4928	net.net
4928	net.net
1440	net.net
1440	net.net
1440	net.net
1512	net.net
1512	net.net
1512	net.net
3180	net.net
3180	net.net
3180	net.net
2240	net.net
2240	net.net
2240	net.net
4416	net.net
4416	net.net
4416	net.net
4008	net.net
4008	net.net
4008	net.net
4804	net.net

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 1328	5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe	84
PID 5100 wrote to memory of 1328	5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe	84
PID 5100 wrote to memory of 1328	5100	5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe	84
PID 1328 wrote to memory of 3392	1328	cmd.exe	86
PID 1328 wrote to memory of 3392	1328	cmd.exe	86
PID 1328 wrote to memory of 3392	1328	cmd.exe	86
PID 1328 wrote to memory of 1840	1328	cmd.exe	90
PID 1328 wrote to memory of 1840	1328	cmd.exe	90
PID 1328 wrote to memory of 1840	1328	cmd.exe	90
PID 1840 wrote to memory of 4604	1840	cmd.exe	91
PID 1840 wrote to memory of 4604	1840	cmd.exe	91
PID 1840 wrote to memory of 4604	1840	cmd.exe	91
PID 4604 wrote to memory of 4648	4604	net.net	92
PID 4604 wrote to memory of 4648	4604	net.net	92
PID 4604 wrote to memory of 4648	4604	net.net	92
PID 4648 wrote to memory of 1892	4648	cmd.exe	94
PID 4648 wrote to memory of 1892	4648	cmd.exe	94
PID 4648 wrote to memory of 1892	4648	cmd.exe	94
PID 4648 wrote to memory of 3016	4648	cmd.exe	99
PID 4648 wrote to memory of 3016	4648	cmd.exe	99
PID 4648 wrote to memory of 3016	4648	cmd.exe	99
PID 3016 wrote to memory of 4060	3016	cmd.exe	100
PID 3016 wrote to memory of 4060	3016	cmd.exe	100
PID 3016 wrote to memory of 4060	3016	cmd.exe	100
PID 4060 wrote to memory of 3488	4060	net.net	101
PID 4060 wrote to memory of 3488	4060	net.net	101
PID 4060 wrote to memory of 3488	4060	net.net	101
PID 3488 wrote to memory of 1756	3488	cmd.exe	103
PID 3488 wrote to memory of 1756	3488	cmd.exe	103
PID 3488 wrote to memory of 1756	3488	cmd.exe	103
PID 3488 wrote to memory of 1888	3488	cmd.exe	104
PID 3488 wrote to memory of 1888	3488	cmd.exe	104
PID 3488 wrote to memory of 1888	3488	cmd.exe	104
PID 1888 wrote to memory of 2220	1888	cmd.exe	105
PID 1888 wrote to memory of 2220	1888	cmd.exe	105
PID 1888 wrote to memory of 2220	1888	cmd.exe	105
PID 2220 wrote to memory of 2816	2220	net.net	106
PID 2220 wrote to memory of 2816	2220	net.net	106
PID 2220 wrote to memory of 2816	2220	net.net	106
PID 2816 wrote to memory of 804	2816	cmd.exe	109
PID 2816 wrote to memory of 804	2816	cmd.exe	109
PID 2816 wrote to memory of 804	2816	cmd.exe	109
PID 2816 wrote to memory of 5092	2816	cmd.exe	110
PID 2816 wrote to memory of 5092	2816	cmd.exe	110
PID 2816 wrote to memory of 5092	2816	cmd.exe	110
PID 5092 wrote to memory of 3520	5092	cmd.exe	111
PID 5092 wrote to memory of 3520	5092	cmd.exe	111
PID 5092 wrote to memory of 3520	5092	cmd.exe	111
PID 3520 wrote to memory of 3000	3520	net.net	112
PID 3520 wrote to memory of 3000	3520	net.net	112
PID 3520 wrote to memory of 3000	3520	net.net	112
PID 3000 wrote to memory of 2712	3000	cmd.exe	114
PID 3000 wrote to memory of 2712	3000	cmd.exe	114
PID 3000 wrote to memory of 2712	3000	cmd.exe	114
PID 3000 wrote to memory of 3556	3000	cmd.exe	116
PID 3000 wrote to memory of 3556	3000	cmd.exe	116
PID 3000 wrote to memory of 3556	3000	cmd.exe	116
PID 3556 wrote to memory of 1680	3556	cmd.exe	117
PID 3556 wrote to memory of 1680	3556	cmd.exe	117
PID 3556 wrote to memory of 1680	3556	cmd.exe	117
PID 1680 wrote to memory of 5024	1680	net.net	118
PID 1680 wrote to memory of 5024	1680	net.net	118
PID 1680 wrote to memory of 5024	1680	net.net	118
PID 5024 wrote to memory of 2664	5024	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e24f784ead0aacf1a086123d366de4c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start "" "C:\Windows\system32\net.net"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\net.net
      "C:\Windows\system32\net.net"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        6⤵
        Runs ping.exe
        
        PID:1892
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        9⤵
        Runs ping.exe
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        12⤵
        Runs ping.exe
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        15⤵
        Runs ping.exe
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        16⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        18⤵
        Runs ping.exe
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        18⤵
        
        PID:392
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        19⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        20⤵
        
        PID:824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        21⤵
        Runs ping.exe
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        21⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        22⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        23⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        24⤵
        Runs ping.exe
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        24⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        26⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        27⤵
        Runs ping.exe
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        27⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        28⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        29⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        30⤵
        Runs ping.exe
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        30⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        31⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        32⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        33⤵
        Runs ping.exe
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        33⤵
        
        PID:540
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        34⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        35⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        36⤵
        Runs ping.exe
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        36⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        37⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        38⤵
        
        PID:732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        39⤵
        Runs ping.exe
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        39⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        40⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        41⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        42⤵
        Runs ping.exe
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        42⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        43⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        44⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        45⤵
        Runs ping.exe
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        45⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        46⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        47⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        48⤵
        Runs ping.exe
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        48⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        50⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        51⤵
        Runs ping.exe
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        51⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        52⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        53⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        54⤵
        Runs ping.exe
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        54⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        55⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        56⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        57⤵
        Runs ping.exe
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        57⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        58⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        59⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        60⤵
        Runs ping.exe
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        60⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        62⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        63⤵
        Runs ping.exe
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        63⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        64⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        65⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        66⤵
        Runs ping.exe
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        66⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        67⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        68⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        69⤵
        Runs ping.exe
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        69⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        70⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        71⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        72⤵
        Runs ping.exe
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        72⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        73⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        74⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        75⤵
        Runs ping.exe
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        75⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        76⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        77⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        78⤵
        Runs ping.exe
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        78⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        79⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        80⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        81⤵
        Runs ping.exe
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        81⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        82⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        83⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        84⤵
        Runs ping.exe
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        84⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        85⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        86⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        87⤵
        Runs ping.exe
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        87⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        88⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        89⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        90⤵
        Runs ping.exe
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        90⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        91⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        92⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        93⤵
        Runs ping.exe
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        93⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        94⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        95⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        96⤵
        Runs ping.exe
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        96⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        97⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        98⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        99⤵
        Runs ping.exe
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        99⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        100⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        101⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        102⤵
        Runs ping.exe
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        102⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        103⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        104⤵
        
        PID:552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        105⤵
        Runs ping.exe
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        105⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        106⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        107⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        108⤵
        Runs ping.exe
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        108⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        109⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        110⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        111⤵
        Runs ping.exe
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        111⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        112⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        113⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        114⤵
        Runs ping.exe
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        114⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        115⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        116⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        117⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        117⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        118⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        119⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        120⤵
        Runs ping.exe
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        120⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        121⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        122⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        123⤵
        Runs ping.exe
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        123⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        124⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        125⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        126⤵
        Runs ping.exe
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        126⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        127⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        128⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        129⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        129⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        130⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        131⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        132⤵
        Runs ping.exe
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        132⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        133⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        134⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        135⤵
        Runs ping.exe
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        135⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        136⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        137⤵
        
        PID:244
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        138⤵
        Runs ping.exe
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        138⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        139⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        140⤵
        
        PID:212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        141⤵
        Runs ping.exe
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        141⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        142⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        143⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        144⤵
        Runs ping.exe
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        144⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        145⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        146⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        147⤵
        Runs ping.exe
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        147⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        148⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        149⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        150⤵
        Runs ping.exe
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        150⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        151⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        152⤵
        
        PID:900
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        153⤵
        Runs ping.exe
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        153⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        154⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        155⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        156⤵
        Runs ping.exe
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        156⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        157⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        158⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        159⤵
        Runs ping.exe
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        159⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        160⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        161⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        162⤵
        Runs ping.exe
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        162⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        163⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        164⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        165⤵
        Runs ping.exe
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        165⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        166⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        167⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        168⤵
        Runs ping.exe
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        168⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        169⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        170⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        171⤵
        Runs ping.exe
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        171⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        172⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        173⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        174⤵
        Runs ping.exe
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        174⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        175⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        176⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        177⤵
        Runs ping.exe
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        177⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        178⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        179⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        180⤵
        Runs ping.exe
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        180⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        181⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        182⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        183⤵
        Runs ping.exe
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        183⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        184⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        185⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        186⤵
        Runs ping.exe
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        186⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        187⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        188⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        189⤵
        Runs ping.exe
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        189⤵
        
        PID:756
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        190⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        191⤵
        
        PID:660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        192⤵
        Runs ping.exe
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        192⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        193⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        194⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        195⤵
        Runs ping.exe
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        195⤵
        
        PID:384
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        196⤵
        Checks whether UAC is enabled
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        197⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        198⤵
        Runs ping.exe
        
        PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\net.net

Filesize
108KB

MD5
5e24f784ead0aacf1a086123d366de4c

SHA1
a92fb961ce46c15870177a3b175fa849be0bf11c

SHA256
d65d4e139df9c545dffc30e140a60cdce59af0e05a68deba1887abcd5fb8e8ce

SHA512
34186500b29d06dad5465d633d201b6e540c4a1b0fd9a7ea163329f219be4c892b64c3a65d6e77fba5b64d9050ba29c57bd72f07a081c456b2b830aa644e2014

Download Submit
memory/184-48-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/212-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/384-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/444-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/460-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/636-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/692-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/744-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1132-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1328-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1440-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1512-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1800-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1828-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1856-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1876-199-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2152-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2240-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2288-207-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2456-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2580-235-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-156-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3068-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3180-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3260-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3260-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3328-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3336-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3372-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3400-164-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3512-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3520-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3612-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3696-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3848-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3932-211-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3988-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4000-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4008-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4008-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4060-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4288-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4416-85-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4448-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4528-168-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4604-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4828-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4928-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4936-187-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5100-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5100-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download