7a978c70c917bf392441dfff8e2481dce79bdb9821405489c48bb95dae54c6c5

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
Size

276KB
MD5

39b5d4d71f1de7164e1487c0d35733cf
SHA1

ef44eb09e00d31214087416d6a3f5225bf6ed952
SHA256

7a978c70c917bf392441dfff8e2481dce79bdb9821405489c48bb95dae54c6c5
SHA512

3dbefb786b1cd335ef17d9f656dced7c206aa7fd762b48ac3b8c9d9dd0aecb281fe1075e46dbdaefdafd252aa30b9d23520116aab8b6560ef44b726bd1434647
SSDEEP

3072:ZYUb5QoJ4g+Ri+Zj6Iz1ZdW4SrO7FSVpES9D6:ZY7xh6SZI4z7FSVpJ4

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2892	whnrsi.exe
2792	wutytv.exe
676	wlclo.exe
3048	wtqshm.exe
2240	wblkrtgi.exe
324	wxytru.exe
2104	wkubop.exe
1620	wiiko.exe
1956	wxpwhc.exe
3000	wljxswg.exe
2860	whx.exe
3016	wkrnfsut.exe
3020	wnp.exe
2588	wnlkpfw.exe
1920	wjrtdidkr.exe
2200	wirw.exe
1820	wbulkndlr.exe
2404	wgsl.exe
2772	wlfyqlekn.exe
1796	whxecs.exe
464	wnlsbc.exe
1952	wlodkcssj.exe
2460	wofc.exe
1736	wjwf.exe
2180	wqkupjcc.exe
1912	wonhake.exe
1820	whxln.exe
2744	wokalyisl.exe
1548	wmmmvanq.exe
1796	woptwru.exe
464	wosfh.exe
2556	wqvmgifn.exe
888	wswtixn.exe
532	wmpathdt.exe
1264	wqsftyji.exe
2188	wpure.exe
2992	winwof.exe
1468	wuvrppj.exe
2336	wtmtsocix.exe
2444	wrpedpgg.exe
1644	wugcvf.exe
1044	wpahin.exe
1304	wwmugwn.exe
2020	wudwj.exe
2748	wbrkifcov.exe
2712	wna.exe
2472	wpcufu.exe
2904	wspmnna.exe
2116	wvgkg.exe
3008	wxucpvneq.exe
1944	wbk.exe
324	wqotjdhu.exe
1876	wqgtlcae.exe
1092	wjyxxk.exe
1912	wqmmwtk.exe
2816	wrrfhkwa.exe
2992	wqkgjjpij.exe
3016	womssjsg.exe
1404	wrnauba.exe
2184	wxcotkvj.exe
2268	wsjj.exe
900	wvvagjt.exe
2812	wcvaf.exe
2080	wotuvj.exe

Loads dropped DLL 64 IoCs

pid	Process
2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
2892	whnrsi.exe
2892	whnrsi.exe
2892	whnrsi.exe
2892	whnrsi.exe
2792	wutytv.exe
2792	wutytv.exe
2792	wutytv.exe
2792	wutytv.exe
676	wlclo.exe
676	wlclo.exe
676	wlclo.exe
676	wlclo.exe
3048	wtqshm.exe
3048	wtqshm.exe
3048	wtqshm.exe
3048	wtqshm.exe
2240	wblkrtgi.exe
2240	wblkrtgi.exe
2240	wblkrtgi.exe
2240	wblkrtgi.exe
324	wxytru.exe
324	wxytru.exe
324	wxytru.exe
324	wxytru.exe
2104	wkubop.exe
2104	wkubop.exe
2104	wkubop.exe
2104	wkubop.exe
1620	wiiko.exe
1620	wiiko.exe
1620	wiiko.exe
1620	wiiko.exe
1956	wxpwhc.exe
1956	wxpwhc.exe
1956	wxpwhc.exe
1956	wxpwhc.exe
3000	wljxswg.exe
3000	wljxswg.exe
3000	wljxswg.exe
3000	wljxswg.exe
2860	whx.exe
2860	whx.exe
2860	whx.exe
2860	whx.exe
3016	wkrnfsut.exe
3016	wkrnfsut.exe
3016	wkrnfsut.exe
3016	wkrnfsut.exe
3020	wnp.exe
3020	wnp.exe
3020	wnp.exe
3020	wnp.exe
2588	wnlkpfw.exe
2588	wnlkpfw.exe
2588	wnlkpfw.exe
2588	wnlkpfw.exe
1920	wjrtdidkr.exe
1920	wjrtdidkr.exe
1920	wjrtdidkr.exe
1920	wjrtdidkr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wjwf.exe	wofc.exe
File created	C:\Windows\SysWOW64\whxln.exe	wnegc.exe
File opened for modification	C:\Windows\SysWOW64\wwmugwn.exe	wpahin.exe
File created	C:\Windows\SysWOW64\wjyxxk.exe	wqgtlcae.exe
File created	C:\Windows\SysWOW64\wblkrtgi.exe	wtqshm.exe
File created	C:\Windows\SysWOW64\wnlkpfw.exe	wnp.exe
File created	C:\Windows\SysWOW64\wxcotkvj.exe	wrnauba.exe
File opened for modification	C:\Windows\SysWOW64\wosfh.exe	woptwru.exe
File opened for modification	C:\Windows\SysWOW64\wswtixn.exe	wqvmgifn.exe
File opened for modification	C:\Windows\SysWOW64\wcvaf.exe	wvvagjt.exe
File created	C:\Windows\SysWOW64\wxpwhc.exe	wiiko.exe
File created	C:\Windows\SysWOW64\wonhake.exe	wqkupjcc.exe
File opened for modification	C:\Windows\SysWOW64\wtmtsocix.exe	wuvrppj.exe
File created	C:\Windows\SysWOW64\wwmugwn.exe	wpahin.exe
File opened for modification	C:\Windows\SysWOW64\wkubop.exe	wxytru.exe
File opened for modification	C:\Windows\SysWOW64\wmpathdt.exe	wswtixn.exe
File created	C:\Windows\SysWOW64\wjwf.exe	wofc.exe
File created	C:\Windows\SysWOW64\wokalyisl.exe	whxln.exe
File opened for modification	C:\Windows\SysWOW64\woptwru.exe	wmmmvanq.exe
File created	C:\Windows\SysWOW64\winwof.exe	wpure.exe
File opened for modification	C:\Windows\SysWOW64\wpcufu.exe	wna.exe
File opened for modification	C:\Windows\SysWOW64\wsjj.exe	wxcotkvj.exe
File opened for modification	C:\Windows\SysWOW64\wnlsbc.exe	whxecs.exe
File opened for modification	C:\Windows\SysWOW64\wlodkcssj.exe	wnlsbc.exe
File opened for modification	C:\Windows\SysWOW64\whnrsi.exe	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpathdt.exe	wswtixn.exe
File opened for modification	C:\Windows\SysWOW64\wuvrppj.exe	winwof.exe
File opened for modification	C:\Windows\SysWOW64\wbk.exe	wxucpvneq.exe
File opened for modification	C:\Windows\SysWOW64\whx.exe	wljxswg.exe
File opened for modification	C:\Windows\SysWOW64\wnlkpfw.exe	wnp.exe
File created	C:\Windows\SysWOW64\wpure.exe	wqsftyji.exe
File opened for modification	C:\Windows\SysWOW64\wrpedpgg.exe	wtmtsocix.exe
File created	C:\Windows\SysWOW64\wbrkifcov.exe	wudwj.exe
File created	C:\Windows\SysWOW64\wswtixn.exe	wqvmgifn.exe
File opened for modification	C:\Windows\SysWOW64\wqsftyji.exe	wmpathdt.exe
File created	C:\Windows\SysWOW64\wugcvf.exe	wrpedpgg.exe
File created	C:\Windows\SysWOW64\wna.exe	wbrkifcov.exe
File created	C:\Windows\SysWOW64\wpcufu.exe	wna.exe
File created	C:\Windows\SysWOW64\wcvaf.exe	wvvagjt.exe
File created	C:\Windows\SysWOW64\wichvogfc.exe	wwtkdk.exe
File created	C:\Windows\SysWOW64\wkrnfsut.exe	whx.exe
File created	C:\Windows\SysWOW64\wnlsbc.exe	whxecs.exe
File created	C:\Windows\SysWOW64\wbulkndlr.exe	wirw.exe
File opened for modification	C:\Windows\SysWOW64\wvgkg.exe	wspmnna.exe
File opened for modification	C:\Windows\SysWOW64\womssjsg.exe	wqkgjjpij.exe
File created	C:\Windows\SysWOW64\wlclo.exe	wutytv.exe
File opened for modification	C:\Windows\SysWOW64\wnp.exe	wkrnfsut.exe
File opened for modification	C:\Windows\SysWOW64\wokalyisl.exe	whxln.exe
File created	C:\Windows\SysWOW64\wpahin.exe	wugcvf.exe
File created	C:\Windows\SysWOW64\wbk.exe	wxucpvneq.exe
File created	C:\Windows\SysWOW64\wkubop.exe	wxytru.exe
File opened for modification	C:\Windows\SysWOW64\wxpwhc.exe	wiiko.exe
File opened for modification	C:\Windows\SysWOW64\wqkupjcc.exe	wjwf.exe
File opened for modification	C:\Windows\SysWOW64\wrnauba.exe	womssjsg.exe
File created	C:\Windows\SysWOW64\whnrsi.exe	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wxytru.exe	wblkrtgi.exe
File opened for modification	C:\Windows\SysWOW64\whxln.exe	wnegc.exe
File created	C:\Windows\SysWOW64\wqmmwtk.exe	wjyxxk.exe
File created	C:\Windows\SysWOW64\wqkupjcc.exe	wjwf.exe
File opened for modification	C:\Windows\SysWOW64\wonhake.exe	wqkupjcc.exe
File opened for modification	C:\Windows\SysWOW64\wutytv.exe	whnrsi.exe
File created	C:\Windows\SysWOW64\wrrfhkwa.exe	wopxhsols.exe
File created	C:\Windows\SysWOW64\wljxswg.exe	wxpwhc.exe
File opened for modification	C:\Windows\SysWOW64\wkrnfsut.exe	whx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuvrppj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxcotkvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wljxswg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqvmgifn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wopxhsols.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtqshm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxpwhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wugcvf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlodkcssj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wosfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqmmwtk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wudwj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpcufu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvvagjt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wokalyisl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winwof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whnrsi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrpedpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wblkrtgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqkgjjpij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wonhake.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wspmnna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlclo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxytru.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgsl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wswtixn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwmugwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvgkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2892	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2892	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2892	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2892	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2756	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2756	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2756	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2756	2524	39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2792	2892	whnrsi.exe	34
PID 2892 wrote to memory of 2792	2892	whnrsi.exe	34
PID 2892 wrote to memory of 2792	2892	whnrsi.exe	34
PID 2892 wrote to memory of 2792	2892	whnrsi.exe	34
PID 2892 wrote to memory of 2720	2892	whnrsi.exe	35
PID 2892 wrote to memory of 2720	2892	whnrsi.exe	35
PID 2892 wrote to memory of 2720	2892	whnrsi.exe	35
PID 2892 wrote to memory of 2720	2892	whnrsi.exe	35
PID 2792 wrote to memory of 676	2792	wutytv.exe	37
PID 2792 wrote to memory of 676	2792	wutytv.exe	37
PID 2792 wrote to memory of 676	2792	wutytv.exe	37
PID 2792 wrote to memory of 676	2792	wutytv.exe	37
PID 2792 wrote to memory of 2956	2792	wutytv.exe	38
PID 2792 wrote to memory of 2956	2792	wutytv.exe	38
PID 2792 wrote to memory of 2956	2792	wutytv.exe	38
PID 2792 wrote to memory of 2956	2792	wutytv.exe	38
PID 676 wrote to memory of 3048	676	wlclo.exe	40
PID 676 wrote to memory of 3048	676	wlclo.exe	40
PID 676 wrote to memory of 3048	676	wlclo.exe	40
PID 676 wrote to memory of 3048	676	wlclo.exe	40
PID 676 wrote to memory of 628	676	wlclo.exe	41
PID 676 wrote to memory of 628	676	wlclo.exe	41
PID 676 wrote to memory of 628	676	wlclo.exe	41
PID 676 wrote to memory of 628	676	wlclo.exe	41
PID 3048 wrote to memory of 2240	3048	wtqshm.exe	43
PID 3048 wrote to memory of 2240	3048	wtqshm.exe	43
PID 3048 wrote to memory of 2240	3048	wtqshm.exe	43
PID 3048 wrote to memory of 2240	3048	wtqshm.exe	43
PID 3048 wrote to memory of 2460	3048	wtqshm.exe	44
PID 3048 wrote to memory of 2460	3048	wtqshm.exe	44
PID 3048 wrote to memory of 2460	3048	wtqshm.exe	44
PID 3048 wrote to memory of 2460	3048	wtqshm.exe	44
PID 2240 wrote to memory of 324	2240	wblkrtgi.exe	46
PID 2240 wrote to memory of 324	2240	wblkrtgi.exe	46
PID 2240 wrote to memory of 324	2240	wblkrtgi.exe	46
PID 2240 wrote to memory of 324	2240	wblkrtgi.exe	46
PID 2240 wrote to memory of 2556	2240	wblkrtgi.exe	47
PID 2240 wrote to memory of 2556	2240	wblkrtgi.exe	47
PID 2240 wrote to memory of 2556	2240	wblkrtgi.exe	47
PID 2240 wrote to memory of 2556	2240	wblkrtgi.exe	47
PID 324 wrote to memory of 2104	324	wxytru.exe	49
PID 324 wrote to memory of 2104	324	wxytru.exe	49
PID 324 wrote to memory of 2104	324	wxytru.exe	49
PID 324 wrote to memory of 2104	324	wxytru.exe	49
PID 324 wrote to memory of 576	324	wxytru.exe	50
PID 324 wrote to memory of 576	324	wxytru.exe	50
PID 324 wrote to memory of 576	324	wxytru.exe	50
PID 324 wrote to memory of 576	324	wxytru.exe	50
PID 2104 wrote to memory of 1620	2104	wkubop.exe	52
PID 2104 wrote to memory of 1620	2104	wkubop.exe	52
PID 2104 wrote to memory of 1620	2104	wkubop.exe	52
PID 2104 wrote to memory of 1620	2104	wkubop.exe	52
PID 2104 wrote to memory of 1588	2104	wkubop.exe	53
PID 2104 wrote to memory of 1588	2104	wkubop.exe	53
PID 2104 wrote to memory of 1588	2104	wkubop.exe	53
PID 2104 wrote to memory of 1588	2104	wkubop.exe	53

C:\Users\Admin\AppData\Local\Temp\39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\whnrsi.exe
  "C:\Windows\system32\whnrsi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\wutytv.exe
    "C:\Windows\system32\wutytv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\wlclo.exe
      "C:\Windows\system32\wlclo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\SysWOW64\wtqshm.exe
        
        "C:\Windows\system32\wtqshm.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\wblkrtgi.exe
        
        "C:\Windows\system32\wblkrtgi.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\wxytru.exe
        
        "C:\Windows\system32\wxytru.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\wkubop.exe
        
        "C:\Windows\system32\wkubop.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\wiiko.exe
        
        "C:\Windows\system32\wiiko.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\wxpwhc.exe
        
        "C:\Windows\system32\wxpwhc.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\wljxswg.exe
        
        "C:\Windows\system32\wljxswg.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\whx.exe
        
        "C:\Windows\system32\whx.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\wkrnfsut.exe
        
        "C:\Windows\system32\wkrnfsut.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\wnp.exe
        
        "C:\Windows\system32\wnp.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\wnlkpfw.exe
        
        "C:\Windows\system32\wnlkpfw.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2588
        
        C:\Windows\SysWOW64\wjrtdidkr.exe
        
        "C:\Windows\system32\wjrtdidkr.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1920
        
        C:\Windows\SysWOW64\wirw.exe
        
        "C:\Windows\system32\wirw.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\wbulkndlr.exe
        
        "C:\Windows\system32\wbulkndlr.exe"
        18⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\wgsl.exe
        
        "C:\Windows\system32\wgsl.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\wlfyqlekn.exe
        
        "C:\Windows\system32\wlfyqlekn.exe"
        20⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\whxecs.exe
        
        "C:\Windows\system32\whxecs.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\wnlsbc.exe
        
        "C:\Windows\system32\wnlsbc.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\wlodkcssj.exe
        
        "C:\Windows\system32\wlodkcssj.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\wofc.exe
        
        "C:\Windows\system32\wofc.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\wjwf.exe
        
        "C:\Windows\system32\wjwf.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\wqkupjcc.exe
        
        "C:\Windows\system32\wqkupjcc.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\wonhake.exe
        
        "C:\Windows\system32\wonhake.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\wnegc.exe
        
        "C:\Windows\system32\wnegc.exe"
        28⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\whxln.exe
        
        "C:\Windows\system32\whxln.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\wokalyisl.exe
        
        "C:\Windows\system32\wokalyisl.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\wmmmvanq.exe
        
        "C:\Windows\system32\wmmmvanq.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\woptwru.exe
        
        "C:\Windows\system32\woptwru.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\wosfh.exe
        
        "C:\Windows\system32\wosfh.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\wqvmgifn.exe
        
        "C:\Windows\system32\wqvmgifn.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\wswtixn.exe
        
        "C:\Windows\system32\wswtixn.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\wmpathdt.exe
        
        "C:\Windows\system32\wmpathdt.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\wqsftyji.exe
        
        "C:\Windows\system32\wqsftyji.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\wpure.exe
        
        "C:\Windows\system32\wpure.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\winwof.exe
        
        "C:\Windows\system32\winwof.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\wuvrppj.exe
        
        "C:\Windows\system32\wuvrppj.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\wtmtsocix.exe
        
        "C:\Windows\system32\wtmtsocix.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\wrpedpgg.exe
        
        "C:\Windows\system32\wrpedpgg.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\wugcvf.exe
        
        "C:\Windows\system32\wugcvf.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\wpahin.exe
        
        "C:\Windows\system32\wpahin.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\wwmugwn.exe
        
        "C:\Windows\system32\wwmugwn.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\wudwj.exe
        
        "C:\Windows\system32\wudwj.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\wbrkifcov.exe
        
        "C:\Windows\system32\wbrkifcov.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\wna.exe
        
        "C:\Windows\system32\wna.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\wpcufu.exe
        
        "C:\Windows\system32\wpcufu.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\wspmnna.exe
        
        "C:\Windows\system32\wspmnna.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\wvgkg.exe
        
        "C:\Windows\system32\wvgkg.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\wxucpvneq.exe
        
        "C:\Windows\system32\wxucpvneq.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\wbk.exe
        
        "C:\Windows\system32\wbk.exe"
        53⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\wqotjdhu.exe
        
        "C:\Windows\system32\wqotjdhu.exe"
        54⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\wqgtlcae.exe
        
        "C:\Windows\system32\wqgtlcae.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\wjyxxk.exe
        
        "C:\Windows\system32\wjyxxk.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\wqmmwtk.exe
        
        "C:\Windows\system32\wqmmwtk.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\wopxhsols.exe
        
        "C:\Windows\system32\wopxhsols.exe"
        58⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\wrrfhkwa.exe
        
        "C:\Windows\system32\wrrfhkwa.exe"
        59⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\wqkgjjpij.exe
        
        "C:\Windows\system32\wqkgjjpij.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\womssjsg.exe
        
        "C:\Windows\system32\womssjsg.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\wrnauba.exe
        
        "C:\Windows\system32\wrnauba.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\wxcotkvj.exe
        
        "C:\Windows\system32\wxcotkvj.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\wsjj.exe
        
        "C:\Windows\system32\wsjj.exe"
        64⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\wvvagjt.exe
        
        "C:\Windows\system32\wvvagjt.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\wcvaf.exe
        
        "C:\Windows\system32\wcvaf.exe"
        66⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\wotuvj.exe
        
        "C:\Windows\system32\wotuvj.exe"
        67⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\wwtkdk.exe
        
        "C:\Windows\system32\wwtkdk.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wotuvj.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvaf.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvvagjt.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjj.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxcotkvj.exe"
        64⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrnauba.exe"
        63⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\womssjsg.exe"
        62⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkgjjpij.exe"
        61⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrrfhkwa.exe"
        60⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopxhsols.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqmmwtk.exe"
        58⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjyxxk.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgtlcae.exe"
        56⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqotjdhu.exe"
        55⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbk.exe"
        54⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxucpvneq.exe"
        53⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgkg.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wspmnna.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpcufu.exe"
        50⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wna.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbrkifcov.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudwj.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwmugwn.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpahin.exe"
        45⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wugcvf.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrpedpgg.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtmtsocix.exe"
        42⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuvrppj.exe"
        41⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winwof.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpure.exe"
        39⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqsftyji.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpathdt.exe"
        37⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wswtixn.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvmgifn.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosfh.exe"
        34⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woptwru.exe"
        33⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmmmvanq.exe"
        32⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wokalyisl.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxln.exe"
        30⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnegc.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonhake.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqkupjcc.exe"
        27⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwf.exe"
        26⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wofc.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlodkcssj.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlsbc.exe"
        23⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whxecs.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfyqlekn.exe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsl.exe"
        20⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbulkndlr.exe"
        19⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wirw.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjrtdidkr.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlkpfw.exe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnp.exe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkrnfsut.exe"
        14⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whx.exe"
        13⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wljxswg.exe"
        12⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpwhc.exe"
        11⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiiko.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkubop.exe"
        9⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxytru.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wblkrtgi.exe"
        7⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtqshm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlclo.exe"
        5⤵
        
        PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wutytv.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whnrsi.exe"
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\39b5d4d71f1de7164e1487c0d35733cf_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\install[2].htm

Filesize
7KB

MD5
9463ba07743e8a9aca3b55373121b7c5

SHA1
4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f

SHA256
d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d

SHA512
6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1JIAIRJ4.txt

Filesize
130B

MD5
fd893e96263c81191af8cbd2a728c59b

SHA1
9669f0ce099c365373b5c9417a69ee362274e793

SHA256
954725295ff0aebf533556ccc6ecbfa200d1cc6758106dd280d4d6bfd3055206

SHA512
56a6c1398771ba5af70c78552b5a75af8e409f25a5637b74601beb8b2e773afd2f547ac451dc5bb3ddcc22f74a35b7c8dedbc78326b20f168e9a8d7a10a43037

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IT1KLAV4.txt

Filesize
98B

MD5
3c88c2dec7bd188d60a9deaba23a6e3f

SHA1
57b23361648a6097e6f89d4ced0cbfd71b41f6b8

SHA256
6a6015ab9193189d24ca30c0b08e7a61218b591af939f06992daa13e41364029

SHA512
e86978599beca14790324efc37fadf54b822c15ea87a2e2917ebe7146446130adfc76488bfe033eb23c45f1bd92937cd814d8592b36a98ee20e277ac8908717e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PU2WE1O6.txt

Filesize
131B

MD5
72afaa33a1a1c0240708a90dbdb6f976

SHA1
cf9bd473b51935c0dab8f0c31f67fa47804aafce

SHA256
61b1b233c92ebacb4d1990dd7e4327f6b6bdd3a40f1cc0a2c8407bc4da91a139

SHA512
7c021d86ed86558c41444c27b01b0022df59ba8da63b17e74f32a30b35d3d8e9122e5c935a30fff1a3a0312bd845fd114c6716da0a2ec6a354c6c38e27840076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VDDBACE3.txt

Filesize
130B

MD5
808bc8141b549e29d3fde98d4c86e085

SHA1
a9a2af3d3d22e89e42a9ec508872fd0a9716dde9

SHA256
d7c7b68ef07a96d1eacd8e01a856005f3d77eda0c1e7d1d8294c4555f9f39e4f

SHA512
04deabcce7aa6ab6e8d15375e0ea289df4c9cf77f9fb06b0c4cd1cfde024ca4a7ffbe1d3a0c4a3fd0ec5a6c5c99cf1af534c86ae1d3063ae0c3be22a80d9ccfd

Download Submit
\Windows\SysWOW64\wblkrtgi.exe

Filesize
277KB

MD5
26d9bd054e392befc3858fb167a1db63

SHA1
da5ae9705e5464aac16c0da4f3db663fec5d67ba

SHA256
7187e01f87d2e3e40a91fc1e627c41cf71d36316f499cea4fe2048bbc23e2d60

SHA512
7b65ba432da8ef5cef22b415ad267261af0203afac98889f36326a78f5a4bc8b77aec03844057f8abc499324e39ab37cb5bef431c511133bd2a9074b8435310c

Download Submit
\Windows\SysWOW64\whnrsi.exe

Filesize
276KB

MD5
345110e58020d86a5267492db28cc0af

SHA1
1ee764d67c002a74539fd273dfe70f30b56cd510

SHA256
bb126d9d3d8f3c2cea8af8b02c5aebc5d085e2075784fb9138963813828af7a3

SHA512
442603a7596b875ebc94cb4ae4fe6a6f7a905510a0c32072971c8b2c1f3a517f587e51022b6e44f31383dd588cb1b91afae2b14dd31e70546b3b4c0b4ce6533f

Download Submit
\Windows\SysWOW64\wiiko.exe

Filesize
277KB

MD5
0b8116c37001929d385f4b3ade7d6f8f

SHA1
1d5ee803c54c21729e0fed282390fc48fbc932f7

SHA256
e52ba08a88415dfaa51498059bd9be93a0e14d5deeab3677ed9d1711fc7b8b5f

SHA512
de301ec1acb7a81e5392132f61b2f8538d25ff5cc7ab63d6db0255051b398d45b0dcb4bd6465511f7c3c4214d77f1576fb1e24e565ede572e4bef8cfe4dbe6c3

Download Submit
\Windows\SysWOW64\wkubop.exe

Filesize
277KB

MD5
50744aea37bc3493897a2be82449d4e1

SHA1
09a7317254e78cb3f990184cdae2d44834720085

SHA256
a853b5ca1f9139f20db3512f93fd9fc081704a6a71c1da936f298378e32428b1

SHA512
92d1a7a3bece3aca870c844e2944cde1642dff59b2c106eb6928cec8cdb36ac92dc3401388764ebb7ddc76864c0b841e002074ada184a14d90175809b7815cc2

Download Submit
\Windows\SysWOW64\wlclo.exe

Filesize
276KB

MD5
df0223121bd495c8e08e484458b23655

SHA1
9ae7898756ad323ae40a1dd263494c0c6aaf1742

SHA256
45fa1d0ee1191f6a4fb5fe83a5cc173584cfdd916ea37b6df1be8aa2a076538b

SHA512
61eb5ec6cae9b25532a04e0a0af97b7751cf6761604e24c34811e317c84232711fe079411196460a7077cc309ea0ae556a509170d64b0114d18002b442f27072

Download Submit
\Windows\SysWOW64\wljxswg.exe

Filesize
277KB

MD5
57b01d5049a5a80b59306b08d7498a4c

SHA1
43ce5a1e52f468cefce377b490b8f3ae3a2383e7

SHA256
eabb41ac9bc5eef581a162d61cf4fe4cbf767ef3d5fa13159d093b5f6fa7021f

SHA512
3d0fbb8f5cfd2fa1d89ff95a8ad4c7dea7fcdd8f38b90f66ade5b3642c125c0e6bbb0585c1c578455d658c5a97f63f15b68db193d51b84171b5154e2092dbc14

Download Submit
\Windows\SysWOW64\wtqshm.exe

Filesize
276KB

MD5
f784b085e1afc2cff8f2c35185103015

SHA1
a5ad8b162a3d3b95fdb20ecc5542fd9d33356eba

SHA256
7e21b8f42843e6f8bdc2f3931ece26162add9b766f4d2687a33f7666354e733b

SHA512
d6252bc7dd605b6c187bd3b31668b3c4e73f4216417189fe26950dc2d4e3e8cb9890eb1bed220057be3444611d7e83c6a88b28526bea0b73c630a4f5dfa1fec0

Download Submit
\Windows\SysWOW64\wutytv.exe

Filesize
276KB

MD5
34e80a4124face953871371039725392

SHA1
60ff72031be40b3287ad612b8c8376a8868476c8

SHA256
2ab5761b0f09ca0b6b448f2dfecd63ec5c152435209e25a09acecb55f97452db

SHA512
64835590c6792945a9377f0576470761ea37fdd4509a9a16ba250afc98af137da8e08c5ec609f24e8f6c34168140c16a085e21426e62fe01a5dd1f78b2bb36f3

Download Submit
\Windows\SysWOW64\wxpwhc.exe

Filesize
277KB

MD5
a363f3ff3a19ccba0550dc75991ded2a

SHA1
ac489c00e83e8062916c8585c62da96f1270c32f

SHA256
45568248fe45a852b543abd2105534da09af363f9ca8941f027b4505690f26b6

SHA512
fef58097ca48ca3997d72da7051aa496e9c404367844a633ff7865fb6a06eba84e6e1ae12f255d59408743b4d7054d452828103aeee96d00ec6de902f2523351

Download Submit
\Windows\SysWOW64\wxytru.exe

Filesize
277KB

MD5
785478f6fbddcdea0db39f6e0bc11ef5

SHA1
1b14e89041a6a5a9fc3a3339629a3f05dad3a963

SHA256
64b94d197959ae202d256a43835b9298a87518fd9e3493a4dcbe1493bcb43d3b

SHA512
d73b2eeac4bca8047afbfe88e2ef20d0b4b5a6b3baa7d4782bd841f34ac22cea16d32c1de746d72e2349171a387b2c58dfac0ceb3e8153b2dd41ce8fcd93f82e

Download Submit
memory/324-160-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/324-157-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/324-158-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/324-159-0x0000000003CF0000-0x0000000003D07000-memory.dmp

Filesize
92KB

Download
memory/324-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/324-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/464-416-0x00000000035C0000-0x00000000035D7000-memory.dmp

Filesize
92KB

Download
memory/464-402-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/464-417-0x00000000035C0000-0x00000000035D7000-memory.dmp

Filesize
92KB

Download
memory/464-415-0x00000000035C0000-0x00000000035D7000-memory.dmp

Filesize
92KB

Download
memory/676-90-0x0000000003460000-0x0000000003477000-memory.dmp

Filesize
92KB

Download
memory/676-89-0x0000000003640000-0x0000000003657000-memory.dmp

Filesize
92KB

Download
memory/676-88-0x0000000003640000-0x0000000003657000-memory.dmp

Filesize
92KB

Download
memory/676-87-0x0000000003460000-0x0000000003477000-memory.dmp

Filesize
92KB

Download
memory/676-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1620-185-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1620-199-0x00000000034A0000-0x00000000034B7000-memory.dmp

Filesize
92KB

Download
memory/1620-208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1796-395-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/1796-401-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/1796-403-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1796-400-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/1796-396-0x0000000002330000-0x0000000002347000-memory.dmp

Filesize
92KB

Download
memory/1820-351-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1820-338-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-354-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1820-353-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1820-352-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1912-955-0x0000000074C30000-0x0000000074C7F000-memory.dmp

Filesize
316KB

Download
memory/1912-954-0x0000000074C80000-0x0000000074CD8000-memory.dmp

Filesize
352KB

Download
memory/1920-305-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-320-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1920-321-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1920-319-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/1920-315-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/1920-314-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/1956-228-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1956-206-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2104-184-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2104-183-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2104-182-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2104-187-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2104-162-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-336-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/2200-322-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2200-335-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/2200-337-0x0000000003490000-0x00000000034A7000-memory.dmp

Filesize
92KB

Download
memory/2200-339-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-136-0x00000000034B0000-0x00000000034C7000-memory.dmp

Filesize
92KB

Download
memory/2240-135-0x00000000034B0000-0x00000000034C7000-memory.dmp

Filesize
92KB

Download
memory/2240-134-0x00000000034A0000-0x00000000034B7000-memory.dmp

Filesize
92KB

Download
memory/2240-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2240-133-0x00000000034A0000-0x00000000034B7000-memory.dmp

Filesize
92KB

Download
memory/2404-355-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-370-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-364-0x0000000004010000-0x0000000004027000-memory.dmp

Filesize
92KB

Download
memory/2404-368-0x0000000004020000-0x0000000004037000-memory.dmp

Filesize
92KB

Download
memory/2524-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2524-18-0x00000000031E0000-0x00000000031F7000-memory.dmp

Filesize
92KB

Download
memory/2524-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2588-299-0x0000000003600000-0x0000000003617000-memory.dmp

Filesize
92KB

Download
memory/2588-303-0x0000000003600000-0x0000000003617000-memory.dmp

Filesize
92KB

Download
memory/2588-304-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-384-0x0000000002300000-0x0000000002317000-memory.dmp

Filesize
92KB

Download
memory/2772-386-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2772-382-0x0000000002300000-0x0000000002317000-memory.dmp

Filesize
92KB

Download
memory/2772-383-0x0000000002300000-0x0000000002317000-memory.dmp

Filesize
92KB

Download
memory/2772-385-0x0000000002300000-0x0000000002317000-memory.dmp

Filesize
92KB

Download
memory/2772-369-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2792-67-0x0000000003B70000-0x0000000003B87000-memory.dmp

Filesize
92KB

Download
memory/2792-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2792-59-0x00000000034A0000-0x00000000034B7000-memory.dmp

Filesize
92KB

Download
memory/2792-58-0x00000000034A0000-0x00000000034B7000-memory.dmp

Filesize
92KB

Download
memory/2792-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2860-256-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2860-255-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2860-254-0x0000000003EE0000-0x0000000003EF7000-memory.dmp

Filesize
92KB

Download
memory/2892-42-0x0000000003470000-0x0000000003487000-memory.dmp

Filesize
92KB

Download
memory/2892-40-0x0000000003470000-0x0000000003487000-memory.dmp

Filesize
92KB

Download
memory/2892-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-41-0x0000000003470000-0x0000000003487000-memory.dmp

Filesize
92KB

Download
memory/2892-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-43-0x0000000003470000-0x0000000003487000-memory.dmp

Filesize
92KB

Download
memory/3000-242-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3016-270-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/3016-272-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3016-271-0x0000000003630000-0x0000000003647000-memory.dmp

Filesize
92KB

Download
memory/3016-266-0x00000000032A0000-0x00000000032B7000-memory.dmp

Filesize
92KB

Download
memory/3020-286-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/3020-289-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-288-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/3020-287-0x0000000003B60000-0x0000000003B77000-memory.dmp

Filesize
92KB

Download
memory/3020-273-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3048-115-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3048-113-0x0000000003690000-0x00000000036A7000-memory.dmp

Filesize
92KB

Download
memory/3048-107-0x0000000003680000-0x0000000003697000-memory.dmp

Filesize
92KB

Download
memory/3048-93-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3048-101-0x0000000003680000-0x0000000003697000-memory.dmp

Filesize
92KB

Download