metasploit | 5a206b2df16f9abcdc152e342618a2dc58fbff11fd8e2c64d80590702a437dd6

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
Size

168KB
MD5

946b9ddf8ffac1f1afd2c17a3764dd02
SHA1

6074d348d472038c6da3b479ad3d46c8a829dffe
SHA256

5a206b2df16f9abcdc152e342618a2dc58fbff11fd8e2c64d80590702a437dd6
SHA512

4a4abec5a119a63f713e1ebf64baba839bb1205113997ce55398da99c906b76bd1c5f9132df8ea5809f62cee6d1c53dcf8628bcff10932a9505112c71feef775
SSDEEP

3072:4GEEhNJBDZ6Zi0mCdUvogGsz7rMX2sRleSsal2AsFsmzVQN6Fl/WA2RDCi+GBpmj:4GP3Z6gFI1jsz74X2sudfsmzW4Fl/Wvq

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2564	wmpfv1.exe

Executes dropped EXE 40 IoCs

pid	Process
2688	wmpfv1.exe
2564	wmpfv1.exe
764	wmpfv1.exe
3064	wmpfv1.exe
308	wmpfv1.exe
2964	wmpfv1.exe
2392	wmpfv1.exe
1556	wmpfv1.exe
3040	wmpfv1.exe
2932	wmpfv1.exe
940	wmpfv1.exe
2524	wmpfv1.exe
692	wmpfv1.exe
1204	wmpfv1.exe
1000	wmpfv1.exe
560	wmpfv1.exe
2296	wmpfv1.exe
2500	wmpfv1.exe
2844	wmpfv1.exe
2732	wmpfv1.exe
2180	wmpfv1.exe
2360	wmpfv1.exe
1348	wmpfv1.exe
1932	wmpfv1.exe
2668	wmpfv1.exe
2920	wmpfv1.exe
1648	wmpfv1.exe
2244	wmpfv1.exe
3040	wmpfv1.exe
1288	wmpfv1.exe
2924	wmpfv1.exe
896	wmpfv1.exe
2004	wmpfv1.exe
2252	wmpfv1.exe
916	wmpfv1.exe
344	wmpfv1.exe
1640	wmpfv1.exe
2456	wmpfv1.exe
2728	wmpfv1.exe
2676	wmpfv1.exe

Loads dropped DLL 40 IoCs

pid	Process
1764	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
1764	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
2564	wmpfv1.exe
2564	wmpfv1.exe
3064	wmpfv1.exe
3064	wmpfv1.exe
2964	wmpfv1.exe
2964	wmpfv1.exe
1556	wmpfv1.exe
1556	wmpfv1.exe
2932	wmpfv1.exe
2932	wmpfv1.exe
2524	wmpfv1.exe
2524	wmpfv1.exe
1204	wmpfv1.exe
1204	wmpfv1.exe
560	wmpfv1.exe
560	wmpfv1.exe
2500	wmpfv1.exe
2500	wmpfv1.exe
2732	wmpfv1.exe
2732	wmpfv1.exe
2360	wmpfv1.exe
2360	wmpfv1.exe
1932	wmpfv1.exe
1932	wmpfv1.exe
2920	wmpfv1.exe
2920	wmpfv1.exe
2244	wmpfv1.exe
2244	wmpfv1.exe
1288	wmpfv1.exe
1288	wmpfv1.exe
896	wmpfv1.exe
896	wmpfv1.exe
2252	wmpfv1.exe
2252	wmpfv1.exe
344	wmpfv1.exe
344	wmpfv1.exe
2456	wmpfv1.exe
2456	wmpfv1.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File created	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfv1.exe	wmpfv1.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 2688 set thread context of 2564	2688	wmpfv1.exe	33
PID 764 set thread context of 3064	764	wmpfv1.exe	35
PID 308 set thread context of 2964	308	wmpfv1.exe	37
PID 2392 set thread context of 1556	2392	wmpfv1.exe	39
PID 3040 set thread context of 2932	3040	wmpfv1.exe	41
PID 940 set thread context of 2524	940	wmpfv1.exe	43
PID 692 set thread context of 1204	692	wmpfv1.exe	45
PID 1000 set thread context of 560	1000	wmpfv1.exe	47
PID 2296 set thread context of 2500	2296	wmpfv1.exe	49
PID 2844 set thread context of 2732	2844	wmpfv1.exe	51
PID 2180 set thread context of 2360	2180	wmpfv1.exe	53
PID 1348 set thread context of 1932	1348	wmpfv1.exe	55
PID 2668 set thread context of 2920	2668	wmpfv1.exe	57
PID 1648 set thread context of 2244	1648	wmpfv1.exe	59
PID 3040 set thread context of 1288	3040	wmpfv1.exe	61
PID 2924 set thread context of 896	2924	wmpfv1.exe	63
PID 2004 set thread context of 2252	2004	wmpfv1.exe	65
PID 916 set thread context of 344	916	wmpfv1.exe	67
PID 1640 set thread context of 2456	1640	wmpfv1.exe	69
PID 2728 set thread context of 2676	2728	wmpfv1.exe	71

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1764-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-11-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-13-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-6-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-4-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1764-28-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2564-40-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2564-41-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2564-42-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2564-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2564-47-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3064-59-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3064-58-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3064-60-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3064-61-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3064-68-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2964-78-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2964-79-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2964-80-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2964-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2964-87-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1556-98-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1556-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2932-117-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2932-125-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2524-136-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2524-144-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1204-155-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1204-163-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/560-174-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/560-182-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2500-195-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2500-201-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2732-212-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2732-221-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2360-232-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2360-240-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1932-253-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1932-259-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2920-274-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2244-284-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2244-289-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1288-299-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1288-304-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/896-314-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/896-319-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2252-329-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2252-334-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/344-344-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/344-349-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2456-359-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2456-364-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2676-374-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfv1.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1764	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
2564	wmpfv1.exe
3064	wmpfv1.exe
2964	wmpfv1.exe
1556	wmpfv1.exe
2932	wmpfv1.exe
2524	wmpfv1.exe
1204	wmpfv1.exe
560	wmpfv1.exe
2500	wmpfv1.exe
2732	wmpfv1.exe
2360	wmpfv1.exe
1932	wmpfv1.exe
2920	wmpfv1.exe
2244	wmpfv1.exe
1288	wmpfv1.exe
896	wmpfv1.exe
2252	wmpfv1.exe
344	wmpfv1.exe
2456	wmpfv1.exe
2676	wmpfv1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 824 wrote to memory of 1764	824	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	31
PID 1764 wrote to memory of 2688	1764	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	32
PID 1764 wrote to memory of 2688	1764	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	32
PID 1764 wrote to memory of 2688	1764	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	32
PID 1764 wrote to memory of 2688	1764	946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2688 wrote to memory of 2564	2688	wmpfv1.exe	33
PID 2564 wrote to memory of 764	2564	wmpfv1.exe	34
PID 2564 wrote to memory of 764	2564	wmpfv1.exe	34
PID 2564 wrote to memory of 764	2564	wmpfv1.exe	34
PID 2564 wrote to memory of 764	2564	wmpfv1.exe	34
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 764 wrote to memory of 3064	764	wmpfv1.exe	35
PID 3064 wrote to memory of 308	3064	wmpfv1.exe	36
PID 3064 wrote to memory of 308	3064	wmpfv1.exe	36
PID 3064 wrote to memory of 308	3064	wmpfv1.exe	36
PID 3064 wrote to memory of 308	3064	wmpfv1.exe	36
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 308 wrote to memory of 2964	308	wmpfv1.exe	37
PID 2964 wrote to memory of 2392	2964	wmpfv1.exe	38
PID 2964 wrote to memory of 2392	2964	wmpfv1.exe	38
PID 2964 wrote to memory of 2392	2964	wmpfv1.exe	38
PID 2964 wrote to memory of 2392	2964	wmpfv1.exe	38
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 2392 wrote to memory of 1556	2392	wmpfv1.exe	39
PID 1556 wrote to memory of 3040	1556	wmpfv1.exe	40
PID 1556 wrote to memory of 3040	1556	wmpfv1.exe	40
PID 1556 wrote to memory of 3040	1556	wmpfv1.exe	40
PID 1556 wrote to memory of 3040	1556	wmpfv1.exe	40
PID 3040 wrote to memory of 2932	3040	wmpfv1.exe	41
PID 3040 wrote to memory of 2932	3040	wmpfv1.exe	41
PID 3040 wrote to memory of 2932	3040	wmpfv1.exe	41
PID 3040 wrote to memory of 2932	3040	wmpfv1.exe	41

C:\Users\Admin\AppData\Local\Temp\946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\946b9ddf8ffac1f1afd2c17a3764dd02_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\wmpfv1.exe
    "C:\Windows\system32\wmpfv1.exe" C:\Users\Admin\AppData\Local\Temp\946B9D~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\wmpfv1.exe
      "C:\Windows\system32\wmpfv1.exe" C:\Users\Admin\AppData\Local\Temp\946B9D~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:560
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:344
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2456
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\wmpfv1.exe
        
        "C:\Windows\system32\wmpfv1.exe" C:\Windows\SysWOW64\wmpfv1.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmpfv1.exe

Filesize
168KB

MD5
946b9ddf8ffac1f1afd2c17a3764dd02

SHA1
6074d348d472038c6da3b479ad3d46c8a829dffe

SHA256
5a206b2df16f9abcdc152e342618a2dc58fbff11fd8e2c64d80590702a437dd6

SHA512
4a4abec5a119a63f713e1ebf64baba839bb1205113997ce55398da99c906b76bd1c5f9132df8ea5809f62cee6d1c53dcf8628bcff10932a9505112c71feef775

Download Submit
memory/308-77-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/344-344-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/344-349-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/560-174-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/560-182-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/764-57-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/824-10-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/896-319-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/896-314-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1204-155-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1204-163-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1288-299-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1288-304-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1556-98-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1556-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-6-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-28-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-4-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-11-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1764-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1764-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1932-253-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1932-259-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2244-284-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2244-289-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2252-329-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2252-334-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2360-232-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2360-240-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2392-96-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-364-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2456-359-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2500-195-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2500-201-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2524-144-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2524-136-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2564-42-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2564-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2564-40-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2564-41-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2564-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2676-374-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2688-39-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2732-212-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2732-221-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2920-274-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2932-125-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2932-117-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2964-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2964-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2964-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2964-79-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2964-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3064-59-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3064-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3064-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3064-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3064-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download