1d14c73c9b45a28d1d259b1b05dace849e2f79b0a73aa3015697159259a12721

Analysis

max time kernel
143s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Size

238KB
MD5

642828913b14f027828764150ea5d18f
SHA1

656ec6e56db3bd0176d46b44af23b20ab616eee4
SHA256

1d14c73c9b45a28d1d259b1b05dace849e2f79b0a73aa3015697159259a12721
SHA512

c763047021f5acf9e25d70c506483b186e4d5a5f47178a2f9a985e9a4d0551977d03b3888e2fe756204c2b5441bc1f0890d74c4532e7a1cee009192e597bd59c
SSDEEP

6144:mgP/Cp0w0NQmvG3W9D8fDAIWXkUIh6g+j:Kpwemv0W9DaW0Ue6x

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 48 IoCs

pid	Process
3156	Netcro.bat
3624	Netcro.bat
1964	Netcro.bat
2172	Netcro.bat
4188	Netcro.bat
1864	Netcro.bat
3640	Netcro.bat
1980	Netcro.bat
116	Netcro.bat
1432	Netcro.bat
1360	Netcro.bat
1072	Netcro.bat
4268	Netcro.bat
212	Netcro.bat
516	Netcro.bat
2024	Netcro.bat
1564	Netcro.bat
1704	Netcro.bat
2920	Netcro.bat
4072	Netcro.bat
3752	Netcro.bat
4448	Netcro.bat
5108	Netcro.bat
3252	Netcro.bat
3452	Netcro.bat
2360	Netcro.bat
4984	Netcro.bat
2520	Netcro.bat
4384	Netcro.bat
4336	Netcro.bat
2164	Netcro.bat
1620	Netcro.bat
4296	Netcro.bat
3568	Netcro.bat
3124	Netcro.bat
1520	Netcro.bat
3020	Netcro.bat
2380	Netcro.bat
1968	Netcro.bat
3376	Netcro.bat
4904	Netcro.bat
1196	Netcro.bat
5080	Netcro.bat
2712	Netcro.bat
3692	Netcro.bat
1504	Netcro.bat
2788	Netcro.bat
4644	Netcro.bat

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023466-30.dat	upx
behavioral2/memory/3156-89-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1964-130-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3156-128-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/516-134-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3452-132-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1620-142-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4448-141-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1196-138-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2164-137-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3252-144-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1968-146-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4296-148-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1864-151-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2920-155-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2172-153-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/212-158-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1432-160-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3624-168-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4072-182-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4984-184-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2712-201-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1564-215-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2520-214-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1980-211-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1360-210-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3752-209-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3692-208-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4644-207-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4188-206-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3376-205-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3020-204-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3640-203-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4336-202-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3568-188-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1504-190-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2788-193-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/5080-191-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/5108-192-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4904-181-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/116-178-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2380-177-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1520-174-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1072-173-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1704-170-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4268-166-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3124-165-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4384-162-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2360-218-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2024-219-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\DelegateFolders	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{daf95313-e44d-46af-be1b-cbacea2c3065}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EDC978D6-4D53-4b2f-A265-5805674BE568}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64693913-1c21-4f30-a98f-4e52906d3b56}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89D83576-6BD1-4c86-9454-BEB04E94C819}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a00ee528-ebd9-48b8-944a-8942113d46ac}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e345f35f-9397-435c-8f95-4e922c26259e}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\DelegateFolders	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}	642828913b14f027828764150ea5d18f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1964	Netcro.bat
Token: SeRestorePrivilege	1964	Netcro.bat
Token: SeSecurityPrivilege	1964	Netcro.bat
Token: SeSecurityPrivilege	1964	Netcro.bat
Token: SeBackupPrivilege	3156	Netcro.bat
Token: SeRestorePrivilege	3156	Netcro.bat
Token: SeSecurityPrivilege	3156	Netcro.bat
Token: SeBackupPrivilege	4296	Netcro.bat
Token: SeRestorePrivilege	4296	Netcro.bat
Token: SeBackupPrivilege	4448	Netcro.bat
Token: SeRestorePrivilege	4448	Netcro.bat
Token: SeBackupPrivilege	1620	Netcro.bat
Token: SeRestorePrivilege	1620	Netcro.bat
Token: SeBackupPrivilege	3252	Netcro.bat
Token: SeRestorePrivilege	3252	Netcro.bat
Token: SeBackupPrivilege	2164	Netcro.bat
Token: SeBackupPrivilege	516	Netcro.bat
Token: SeRestorePrivilege	2164	Netcro.bat
Token: SeRestorePrivilege	516	Netcro.bat
Token: SeBackupPrivilege	1196	Netcro.bat
Token: SeRestorePrivilege	1196	Netcro.bat
Token: SeBackupPrivilege	3452	Netcro.bat
Token: SeRestorePrivilege	3452	Netcro.bat
Token: SeBackupPrivilege	2172	Netcro.bat
Token: SeRestorePrivilege	2172	Netcro.bat
Token: SeBackupPrivilege	1968	Netcro.bat
Token: SeRestorePrivilege	1968	Netcro.bat
Token: SeBackupPrivilege	1864	Netcro.bat
Token: SeRestorePrivilege	1864	Netcro.bat
Token: SeSecurityPrivilege	2172	Netcro.bat
Token: SeSecurityPrivilege	1864	Netcro.bat
Token: SeSecurityPrivilege	1864	Netcro.bat
Token: SeBackupPrivilege	1520	Netcro.bat
Token: SeRestorePrivilege	1520	Netcro.bat
Token: SeBackupPrivilege	212	Netcro.bat
Token: SeRestorePrivilege	212	Netcro.bat
Token: SeBackupPrivilege	2920	Netcro.bat
Token: SeRestorePrivilege	2920	Netcro.bat
Token: SeBackupPrivilege	3624	Netcro.bat
Token: SeRestorePrivilege	3624	Netcro.bat
Token: SeBackupPrivilege	1432	Netcro.bat
Token: SeRestorePrivilege	1432	Netcro.bat
Token: SeBackupPrivilege	3124	Netcro.bat
Token: SeBackupPrivilege	2380	Netcro.bat
Token: SeRestorePrivilege	3124	Netcro.bat
Token: SeRestorePrivilege	2380	Netcro.bat
Token: SeBackupPrivilege	4268	Netcro.bat
Token: SeRestorePrivilege	4268	Netcro.bat
Token: SeSecurityPrivilege	3624	Netcro.bat
Token: SeSecurityPrivilege	3624	Netcro.bat
Token: SeSecurityPrivilege	1432	Netcro.bat
Token: SeBackupPrivilege	1704	Netcro.bat
Token: SeRestorePrivilege	1704	Netcro.bat
Token: SeBackupPrivilege	4384	Netcro.bat
Token: SeRestorePrivilege	4384	Netcro.bat
Token: SeBackupPrivilege	1504	Netcro.bat
Token: SeRestorePrivilege	1504	Netcro.bat
Token: SeBackupPrivilege	2712	Netcro.bat
Token: SeRestorePrivilege	2712	Netcro.bat
Token: SeBackupPrivilege	116	Netcro.bat
Token: SeRestorePrivilege	116	Netcro.bat
Token: SeBackupPrivilege	3568	Netcro.bat
Token: SeRestorePrivilege	3568	Netcro.bat
Token: SeBackupPrivilege	4072	Netcro.bat

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3156	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	86
PID 5036 wrote to memory of 3156	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	86
PID 5036 wrote to memory of 3156	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	86
PID 5036 wrote to memory of 3624	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	87
PID 5036 wrote to memory of 3624	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	87
PID 5036 wrote to memory of 3624	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	87
PID 5036 wrote to memory of 1964	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	88
PID 5036 wrote to memory of 1964	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	88
PID 5036 wrote to memory of 1964	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	88
PID 5036 wrote to memory of 2172	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	89
PID 5036 wrote to memory of 2172	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	89
PID 5036 wrote to memory of 2172	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	89
PID 5036 wrote to memory of 4188	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	90
PID 5036 wrote to memory of 4188	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	90
PID 5036 wrote to memory of 4188	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	90
PID 5036 wrote to memory of 1864	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	91
PID 5036 wrote to memory of 1864	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	91
PID 5036 wrote to memory of 1864	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	91
PID 5036 wrote to memory of 3640	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	92
PID 5036 wrote to memory of 3640	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	92
PID 5036 wrote to memory of 3640	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	92
PID 5036 wrote to memory of 1980	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	93
PID 5036 wrote to memory of 1980	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	93
PID 5036 wrote to memory of 1980	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	93
PID 5036 wrote to memory of 116	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	94
PID 5036 wrote to memory of 116	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	94
PID 5036 wrote to memory of 116	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	94
PID 5036 wrote to memory of 1432	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	95
PID 5036 wrote to memory of 1432	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	95
PID 5036 wrote to memory of 1432	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	95
PID 5036 wrote to memory of 1360	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	96
PID 5036 wrote to memory of 1360	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	96
PID 5036 wrote to memory of 1360	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	96
PID 5036 wrote to memory of 1072	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	97
PID 5036 wrote to memory of 1072	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	97
PID 5036 wrote to memory of 1072	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	97
PID 5036 wrote to memory of 4268	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	98
PID 5036 wrote to memory of 4268	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	98
PID 5036 wrote to memory of 4268	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	98
PID 5036 wrote to memory of 2788	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	99
PID 5036 wrote to memory of 2788	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	99
PID 5036 wrote to memory of 2788	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	99
PID 5036 wrote to memory of 212	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	100
PID 5036 wrote to memory of 212	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	100
PID 5036 wrote to memory of 212	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	100
PID 5036 wrote to memory of 516	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	102
PID 5036 wrote to memory of 516	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	102
PID 5036 wrote to memory of 516	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	102
PID 5036 wrote to memory of 2024	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	103
PID 5036 wrote to memory of 2024	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	103
PID 5036 wrote to memory of 2024	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	103
PID 5036 wrote to memory of 1564	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	104
PID 5036 wrote to memory of 1564	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	104
PID 5036 wrote to memory of 1564	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	104
PID 5036 wrote to memory of 1704	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	106
PID 5036 wrote to memory of 1704	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	106
PID 5036 wrote to memory of 1704	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	106
PID 5036 wrote to memory of 2920	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	107
PID 5036 wrote to memory of 2920	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	107
PID 5036 wrote to memory of 2920	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	107
PID 5036 wrote to memory of 4072	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	109
PID 5036 wrote to memory of 4072	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	109
PID 5036 wrote to memory of 4072	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	109
PID 5036 wrote to memory of 3752	5036	642828913b14f027828764150ea5d18f_JaffaCakes118.exe	110

C:\Users\Admin\AppData\Local\Temp\642828913b14f027828764150ea5d18f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\642828913b14f027828764150ea5d18f_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Users\Public\Desktop\上网主页.lnk" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Users\Admin\Desktop\Internet Explorer.lnk" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Users\Public\Desktop\Internet Explorer.lnk" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Users\Public\Desktop\淘宝购物.lnk" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Users\Public\Desktop\在线小游戏.lnk" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Users\Admin\AppData\Local\Temp\tb.ico" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Users\Admin\AppData\Local\Temp\642828913b14f027828764150ea5d18f_JaffaCakes118.exe" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Program Files\Realtek\ations.sot" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Program Files\Realtek\youwo.sot" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "C:\Program Files\Realtek\duoyu.oed" -ot file -op "dacl:p_nc;sacl:p_nc" -actn setprot -actn clear -clr "dacl,sacl" -actn ace -ace "n:everyone;p:read_ex"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{64693913-1c21-4f30-a98f-4e52906d3b56}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{89D83576-6BD1-4c86-9454-BEB04E94C819}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{daf95313-e44d-46af-be1b-cbacea2c3065}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{EDC978D6-4D53-4b2f-A265-5805674BE568}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{04731B67-D933-450a-90E6-4ACD2E9408FE}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{64693913-1c21-4f30-a98f-4e52906d3b56}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{9343812e-1c37-4a49-a12e-4b2d810d956b}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{EDC978D6-4D53-4b2f-A265-5805674BE568}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{f8278c54-a712-415b-b593-b77a2be0dda9}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{64693913-1c21-4f30-a98f-4e52906d3b56}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{a00ee528-ebd9-48b8-944a-8942113d46ac}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{EDC978D6-4D53-4b2f-A265-5805674BE568}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{f8278c54-a712-415b-b593-b77a2be0dda9}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{64693913-1c21-4f30-a98f-4e52906d3b56}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e345f35f-9397-435c-8f95-4e922c26259e}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{f8278c54-a712-415b-b593-b77a2be0dda9}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{64693913-1c21-4f30-a98f-4e52906d3b56}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{EDC978D6-4D53-4b2f-A265-5805674BE568}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\Netcro.bat
  Netcro.bat -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{f8278c54-a712-415b-b593-b77a2be0dda9}" -ot reg -actn ace -ace "n:everyone;p:full"
  2⤵
  - Executes dropped EXE
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Netcro.bat

Filesize
136KB

MD5
627985c64dd0a467645025c2f5b34be2

SHA1
e577e48ddddcf86f2bc0920af3d080139c34ee0e

SHA256
7bac250643d481ea8f492efc3a9e226e6f8b04bfa474d37321a16c215066791b

SHA512
6556c0ec4aaf17be4aa6459667358e936f40bd5ccae49658c80e164df8f4a9d449bbb744fd63811d2d4de9f4da6b0a0c241317110e10bd7afef8c97871da60b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tb.ico

Filesize
23KB

MD5
53eb818ad37f408d1d3e5450ed525691

SHA1
a6cba50c756d9614d597819f786efc8b7cba505d

SHA256
ff539a2ea908672aae8571430594b2d31694112581f227a481af854a2a35bc39

SHA512
9f1de08ed805aeb3e2caf170381b5fff79925d9cb900b1f955a17d3dffbb4fde47ea22b17368df303ac4490722f4a72d0fd9db01daf1e823beebed390c4179fa

Download Submit
C:\Users\Admin\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
31b1c7182a851ad2a9b5c0d0de843fa6

SHA1
74142194c756133b1669499160767b7dfe66842c

SHA256
82055ba3fa65be1e7f3ae39c17d91d32c4fce4c45f467c1552b12bfa5426e8e0

SHA512
c33e165098c8cab11eacc99f6931f68ffc871d7c6657018fb5dea7678ccfcf72953adf6f52585bdc7dc433396fe2a02cf14c4612423f987760f55fa9ab3414c2

Download Submit
C:\Users\Public\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
de1f0998cb17eba5cb0b7802514fdda7

SHA1
82a0a70c15bd6de0751cc707f599cdca4a4126ad

SHA256
fdcc21273b4a022dca65e1458354127b67d449abc447fcfb33a5ef78e3b353f0

SHA512
c6781950bde6ad88caced1efb8be3db328227ac2cdbb5614e2b375efc7dd7867224279ed3becadeebadcb7d00cbc6f57c1931a2e346078024520f6a95e7c5f67

Download Submit
memory/116-178-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/212-158-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/516-134-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1072-173-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1196-138-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1360-210-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1432-160-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1504-190-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1520-174-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1564-215-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1620-142-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1704-170-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1864-151-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1964-130-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1968-146-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1980-211-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2024-219-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2164-137-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2172-153-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2360-218-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2380-177-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2520-214-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2712-201-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2788-193-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2920-155-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3020-204-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3124-165-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3156-128-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3156-89-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3252-144-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3376-205-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3452-132-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3568-188-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3624-168-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3640-203-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3692-208-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3752-209-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4072-182-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4188-206-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4268-166-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4296-148-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4336-202-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4384-162-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4448-141-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4644-207-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4904-181-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4984-184-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5080-191-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5108-192-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download