sality | e12e296606b7ab98a42f95fa9e0e4d037a770a58d3b9dc21c502bd6e10cec09b

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Size

1.0MB
MD5

b4a8bbdcd6dcc5ef7741a5f7539cc897
SHA1

496784b3bb7fc943380d1ee2f3ab7169ab14b29c
SHA256

e12e296606b7ab98a42f95fa9e0e4d037a770a58d3b9dc21c502bd6e10cec09b
SHA512

40c5feede4ba1406dacf251d527a0b7a26e568c5bcdeee7ecbcadaa1b5ca5917e578edd64ba5cf9568407c9315c767f2be69fff95ad00809fd6f5e79007342e8
SSDEEP

24576:ywiw+bth7GwWON5+VowOHbFLfYIiCHgpcFB9wlTn:yI+bth7GVONbwOHbFjYkHgp1b

Score

10^/10

sality backdoor defense_evasion discovery persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5080	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	pxinstall625.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3156-0-0x0000000000400000-0x0000000000519000-memory.dmp	upx
behavioral2/memory/3156-1-0x00000000023E0000-0x0000000003410000-memory.dmp	upx
behavioral2/memory/3156-5-0x00000000023E0000-0x0000000003410000-memory.dmp	upx
behavioral2/memory/3156-8-0x00000000023E0000-0x0000000003410000-memory.dmp	upx
behavioral2/memory/3156-42-0x0000000000400000-0x0000000000519000-memory.dmp	upx
behavioral2/memory/3156-31-0x00000000023E0000-0x0000000003410000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
File opened for modification	C:\Windows\wininit.ini	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxinstall625.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
1916	pxinstall625.exe
1916	pxinstall625.exe
4856	msedge.exe
4856	msedge.exe
3856	msedge.exe
3856	msedge.exe
4212	identity_helper.exe
4212	identity_helper.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
Token: SeDebugPrivilege	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1916	pxinstall625.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 768	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	8
PID 3156 wrote to memory of 772	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	9
PID 3156 wrote to memory of 332	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	13
PID 3156 wrote to memory of 2544	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	45
PID 3156 wrote to memory of 2564	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	46
PID 3156 wrote to memory of 2844	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	51
PID 3156 wrote to memory of 3400	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	56
PID 3156 wrote to memory of 3572	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	57
PID 3156 wrote to memory of 3756	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	58
PID 3156 wrote to memory of 3848	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	59
PID 3156 wrote to memory of 3912	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	60
PID 3156 wrote to memory of 3996	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	61
PID 3156 wrote to memory of 3448	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	62
PID 3156 wrote to memory of 5080	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	84
PID 3156 wrote to memory of 5080	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	84
PID 3156 wrote to memory of 5080	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	84
PID 3156 wrote to memory of 4352	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	74
PID 3156 wrote to memory of 1844	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	76
PID 3156 wrote to memory of 2880	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	81
PID 3156 wrote to memory of 1956	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	82
PID 3156 wrote to memory of 1916	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	86
PID 3156 wrote to memory of 1916	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	86
PID 3156 wrote to memory of 1916	3156	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe	86
PID 1916 wrote to memory of 3856	1916	pxinstall625.exe	94
PID 1916 wrote to memory of 3856	1916	pxinstall625.exe	94
PID 3856 wrote to memory of 2992	3856	msedge.exe	95
PID 3856 wrote to memory of 2992	3856	msedge.exe	95
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96
PID 3856 wrote to memory of 2312	3856	msedge.exe	96

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2564

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4a8bbdcd6dcc5ef7741a5f7539cc897.exe"
  2⤵
  - UAC bypass
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3156
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\pxinstall625.exe
    "C:\Users\Admin\AppData\Local\Temp\pxinstall625.exe" /prop PRIORITY=Y /prop INSTSHELL=Y
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.prevx.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe746246f8,0x7ffe74624708,0x7ffe74624718
        5⤵
        
        PID:2992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        
        PID:2312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        5⤵
        
        PID:1292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        5⤵
        
        PID:2108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:1752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
        5⤵
        
        PID:3620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
        5⤵
        
        PID:3184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
        5⤵
        
        PID:4472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
        5⤵
        
        PID:1256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
        5⤵
        
        PID:540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
        5⤵
        
        PID:1804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
        5⤵
        
        PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7234661715464870320,3921284673812180790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1844

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2880

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8cb3a8ae72d4143c46a67827ca0b7df

SHA1
171c2c090300f33f67510e38358077155a664f99

SHA256
7bf198a75746d630643056ad1571f0d46f6d069f7813a39888f7519b4b843e9e

SHA512
917d6ac30c1975f5266aa380baf9842575ad565c4399ef7da499e8f78d7300f6b1c4d3c5846d46b5c39fbbcd76097fe356274ce44eb35e8ca5c09522def6758e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bf0b2725c0cd068b0f67eb62cbc3244f

SHA1
54ee5cd3bd0ae55707020bf40c4342736e310caf

SHA256
5dff0f70a7691805910a88ef91c9ecc338c6a27b818ff6b0c8bc6e0e8e381d36

SHA512
f622f17ddcf1a364bbe926fe427b1544c3bea200b65f24aee14a5eaa7b260e33f396ef07f2a0a53540dc4c0f5beebf431b6d7d0a9032890de13b99a2089b852e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
16b35389479e3d17c92f65b011a5bd97

SHA1
3e112c6e493f1fdc8428082be958895492723907

SHA256
39d9190ce5cedc52abea78815907c170ea1e47f2544a506d4c27dcd6c3f9e033

SHA512
581d6464533859b17c2808f58398f6c25053286e8f6043624c4a448a60fc74b5aeda1b87706560a88c16d68e335478199c2ddb37a828a8f4bbc249e8087a771f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8b9083279aa20bc1b6a4fa71f7057a91

SHA1
195260f775101a304733e51e7fc57cfe579de0ec

SHA256
27267ecf76d5ccb6dd36775228d2a5ada42968738e9675281f89f5e33ec3d0f0

SHA512
be4cd8625975ee282e1d96cd70f2e86009c7bdafbf2f73da758acbe078dca14fde011439fb120180c7d2ec511a0ce6c53aa10c821a928834514c9c47ef52a2e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
03b055e6622787e6f780d4046bd16cc7

SHA1
08546a007b40c6e2942d6004d349209bcfb69899

SHA256
cb308f0552fff4eced5a7cc2e85d59a750b6796b337df0f47a619ec91875ef89

SHA512
fd66de97203388ddbef2affd6f84d90a2cd488b12214a65efe1c508e591e9620ca859c3753cea37ba8cdc935f7a7dc0e55f5bd32b2e3edcb3db1cf2ffd4e7748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1df114e018312de2afcfc2257c463c0a

SHA1
db40b55be81ab594b357a4794e9657977a033829

SHA256
0dd8be3d209cfb08930ffeb67e118324f34bc2e9a31cdc2c7e1a1bd8f9f6b9e2

SHA512
09a9c4d578efb780fc466389299e7448d0adbd209dc7a5e8e87e4db0af0ca1eccde698b81972875fb5f454b6798c105aeece10c150f915e695ad174443c04e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\99f165cb2044a72beb74125231569e99f93e0a79\index.txt

Filesize
93B

MD5
96f50a644ef88a5f12bd0e04afb5fa31

SHA1
8dd19cab13f11fb0be7ae86dcc6aa6e9b49f2172

SHA256
5b2687d03d37647146fa6e550f3e76974f0d347ad3f32d0ebbcd64781afd3878

SHA512
86a59d5321b04ddf63a7fa577c565dd4c478ab5c39baab1c7a2e7ddd8ebd7298c5d9077036bbab7c1992960fedd9e13aeefbaa28f4d6dffdce94a02e3a5fc78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\99f165cb2044a72beb74125231569e99f93e0a79\index.txt

Filesize
86B

MD5
aac1bc7710d0c4be21c578767a0c8556

SHA1
6efd0629afc195fe4130184992b2fc5e48b68325

SHA256
1500647ae5bf25525e3ef1a2db84c31f3bdea0bd8b21700188c4582c4b0c519c

SHA512
e7335a76e5510ed24d09c80cd312eb6a33178ef40112b98155727bf74a9d01ff2e8b063b5b75e4b35fc5fb8040e93420ada8ceb8f8260ecd244badc8212112ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4706f334771439745d02bf089b9ee224

SHA1
5134aa56086ee00e4b74b1d92669ecd3f394dcae

SHA256
81b3eb18f2ab0d64902934d1b55549a377f07164c62f8897b6504fe1e4be7e08

SHA512
470805f693f95e644d60749df24a41ae2d471299240b052cdc219f9e82fbf744394aba6ceed91931493ddcace4621d24ac74188df170e0597857e5e54c890af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57edda.TMP

Filesize
48B

MD5
add54fec3fb45faff8d3000312d07aee

SHA1
68e6688a758b154b0c43a0544ac8ea3f6dbf4753

SHA256
dfd47f11e8d5ffede330ae7b03b565868a113ca5173ff38fe784b37c4030647d

SHA512
e8a6a99a08fe2b4ed445f1902868847d6419d9ae92b0240a70a0a65b061df6011f2229f90d0819f0950d37a9cfec78e74e89058b0fdfc76e379e99fb3184afbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b13f610f9af7844fdfc91951278ebd92

SHA1
7f239c7db8b14506062f1a56ba0d0d8b09c8dbcb

SHA256
dca13315312cfba8b6b8774c0379332180682a2e211150aa392a37eba9d15393

SHA512
906b8b43cae83c3d85befc1631cb9bd6e14482418578a76e3ac65941fc5bf4b280c64a99411caaac82e87857bf7daa68ea25e7aaba4d88464c66bf10a1353fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxinstall625.exe

Filesize
4.2MB

MD5
570494bc9234d1c491cec1a07a16ea90

SHA1
6c3c08003693560a4aee8ab1919f4dedbf7538f2

SHA256
d3e509e7a54fa9c8f7f6510613f3a8fbca5012188a17014e8b8cd9a34b207ac0

SHA512
e8a42f07e7a5d174b92f5142c106c38a9f0e914c72f4f041626c632837a5f817a045e046d76411e591393fea5bd97d0a9915f14e231c0be7b6ec08a4f3b71252

Download Submit
memory/3156-10-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/3156-8-0x00000000023E0000-0x0000000003410000-memory.dmp

Filesize
16.2MB

Download
memory/3156-13-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/3156-0-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3156-11-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/3156-12-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/3156-31-0x00000000023E0000-0x0000000003410000-memory.dmp

Filesize
16.2MB

Download
memory/3156-5-0x00000000023E0000-0x0000000003410000-memory.dmp

Filesize
16.2MB

Download
memory/3156-42-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3156-27-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/3156-1-0x00000000023E0000-0x0000000003410000-memory.dmp

Filesize
16.2MB

Download