metasploit | 5db97f76d33bf29c3ddabd323840e6456afd92014059b39e809575a4b6d2f290

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
Size

274KB
MD5

ce46eb95fece1606dc284b8c04b493d2
SHA1

ddf05e9185be47fa1cf11cf3d296ec66f81f6477
SHA256

5db97f76d33bf29c3ddabd323840e6456afd92014059b39e809575a4b6d2f290
SHA512

751ea1f43bab69d63151b076f4c689018743a8c5a3adcc162429718c1891de64e1c4953440eab7b5c55242f0dd2dbba0d4e4f91ae84be6e807af679e004daa16
SSDEEP

6144:oW95WO18EFJpK/rBjccRiyhQEl3oCXLfRTR19K4L76JDNbewMAAGy9:oAzFvc79oCbv6DJDNa+u

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
2320	dzpnucq.exe
4688	nroljps.exe
2392	prfsycm.exe
4336	cavvmzm.exe
1904	sjcexek.exe
4116	figiqcq.exe
4988	pidosjm.exe
3848	fyyxjxh.exe
1740	vhxgvvf.exe
3608	kwshmcj.exe
2744	zjkdtmf.exe
4312	hzfektj.exe
3056	wlpzyvg.exe
3212	plmoakc.exe
3804	efscuve.exe
3124	ofhqeca.exe
636	errelex.exe
1808	thuncta.exe
1892	jqtvory.exe
1372	zdlrctv.exe
4208	jgllhnq.exe
2988	yirybya.exe
1576	rihncfw.exe
1164	gbnaxqz.exe
2408	noxwlav.exe
3420	goulnhr.exe
4084	vaezbjo.exe
2388	nipfrzq.exe
1364	dqwocfo.exe
5116	ldgjjhk.exe
3184	atbsaoo.exe
3504	swjmnaj.exe
1312	iueuwom.exe
1480	syfoiah.exe
756	kfruqqj.exe
4220	zvmdhwm.exe
2312	pesmtuc.exe
2028	fqcaheh.exe
4820	mgxiqlc.exe
4380	cthwfnh.exe
872	sycaopy.exe
920	hoxbfvc.exe
2868	oeakokf.exe
2424	hepqyrt.exe
4712	wukzpxx.exe
1780	oylsujs.exe
212	hctthvu.exe
4188	odahbfx.exe
800	ghabfrs.exe
1360	ykbcslm.exe
2052	ramizbo.exe
1848	yeweodl.exe
2204	qqfxson.exe
1384	ggagkvj.exe
2956	ykazwgm.exe
844	qnbabah.exe
3116	agyttmh.exe
1820	skynygc.exe
760	lohokre.exe
808	ahfcech.exe
3988	khcigkd.exe
4596	cxowwaw.exe
3856	veacdpy.exe
3612	niavqbt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ggagkvj.exe	qqfxson.exe
File created	C:\Windows\SysWOW64\kgcnlnu.exe	cxvehiw.exe
File opened for modification	C:\Windows\SysWOW64\kgcnlnu.exe	cxvehiw.exe
File created	C:\Windows\SysWOW64\errelex.exe	ofhqeca.exe
File created	C:\Windows\SysWOW64\ldgjjhk.exe	dqwocfo.exe
File created	C:\Windows\SysWOW64\pesmtuc.exe	zvmdhwm.exe
File created	C:\Windows\SysWOW64\sycaopy.exe	cthwfnh.exe
File opened for modification	C:\Windows\SysWOW64\sjcexek.exe	cavvmzm.exe
File created	C:\Windows\SysWOW64\fyyxjxh.exe	pidosjm.exe
File opened for modification	C:\Windows\SysWOW64\vaezbjo.exe	goulnhr.exe
File created	C:\Windows\SysWOW64\ykbcslm.exe	ghabfrs.exe
File opened for modification	C:\Windows\SysWOW64\yeweodl.exe	ramizbo.exe
File opened for modification	C:\Windows\SysWOW64\skynygc.exe	agyttmh.exe
File created	C:\Windows\SysWOW64\figiqcq.exe	sjcexek.exe
File opened for modification	C:\Windows\SysWOW64\wukzpxx.exe	hepqyrt.exe
File created	C:\Windows\SysWOW64\odahbfx.exe	hctthvu.exe
File created	C:\Windows\SysWOW64\ghabfrs.exe	odahbfx.exe
File opened for modification	C:\Windows\SysWOW64\fqcaheh.exe	pesmtuc.exe
File created	C:\Windows\SysWOW64\yeweodl.exe	ramizbo.exe
File created	C:\Windows\SysWOW64\qnbabah.exe	ykazwgm.exe
File opened for modification	C:\Windows\SysWOW64\niavqbt.exe	veacdpy.exe
File opened for modification	C:\Windows\SysWOW64\pesmtuc.exe	zvmdhwm.exe
File created	C:\Windows\SysWOW64\fqcaheh.exe	pesmtuc.exe
File created	C:\Windows\SysWOW64\skynygc.exe	agyttmh.exe
File created	C:\Windows\SysWOW64\prfsycm.exe	nroljps.exe
File created	C:\Windows\SysWOW64\zdlrctv.exe	jqtvory.exe
File created	C:\Windows\SysWOW64\yirybya.exe	jgllhnq.exe
File opened for modification	C:\Windows\SysWOW64\noxwlav.exe	gbnaxqz.exe
File created	C:\Windows\SysWOW64\jqtvory.exe	thuncta.exe
File opened for modification	C:\Windows\SysWOW64\agyttmh.exe	qnbabah.exe
File opened for modification	C:\Windows\SysWOW64\cxowwaw.exe	khcigkd.exe
File opened for modification	C:\Windows\SysWOW64\vhxgvvf.exe	fyyxjxh.exe
File opened for modification	C:\Windows\SysWOW64\syfoiah.exe	iueuwom.exe
File opened for modification	C:\Windows\SysWOW64\zvmdhwm.exe	kfruqqj.exe
File opened for modification	C:\Windows\SysWOW64\qqfxson.exe	yeweodl.exe
File opened for modification	C:\Windows\SysWOW64\oeakokf.exe	hoxbfvc.exe
File created	C:\Windows\SysWOW64\agyttmh.exe	qnbabah.exe
File created	C:\Windows\SysWOW64\wlpzyvg.exe	hzfektj.exe
File opened for modification	C:\Windows\SysWOW64\efscuve.exe	plmoakc.exe
File created	C:\Windows\SysWOW64\jgllhnq.exe	zdlrctv.exe
File created	C:\Windows\SysWOW64\syfoiah.exe	iueuwom.exe
File created	C:\Windows\SysWOW64\rihncfw.exe	yirybya.exe
File created	C:\Windows\SysWOW64\cavvmzm.exe	prfsycm.exe
File created	C:\Windows\SysWOW64\ahfcech.exe	lohokre.exe
File opened for modification	C:\Windows\SysWOW64\cxvehiw.exe	niavqbt.exe
File created	C:\Windows\SysWOW64\ggagkvj.exe	qqfxson.exe
File opened for modification	C:\Windows\SysWOW64\jqtvory.exe	thuncta.exe
File created	C:\Windows\SysWOW64\dqwocfo.exe	nipfrzq.exe
File created	C:\Windows\SysWOW64\iueuwom.exe	swjmnaj.exe
File created	C:\Windows\SysWOW64\zvmdhwm.exe	kfruqqj.exe
File opened for modification	C:\Windows\SysWOW64\kwshmcj.exe	vhxgvvf.exe
File created	C:\Windows\SysWOW64\zjkdtmf.exe	kwshmcj.exe
File created	C:\Windows\SysWOW64\wukzpxx.exe	hepqyrt.exe
File opened for modification	C:\Windows\SysWOW64\ykbcslm.exe	ghabfrs.exe
File created	C:\Windows\SysWOW64\hoxbfvc.exe	sycaopy.exe
File created	C:\Windows\SysWOW64\hepqyrt.exe	oeakokf.exe
File opened for modification	C:\Windows\SysWOW64\veacdpy.exe	cxowwaw.exe
File opened for modification	C:\Windows\SysWOW64\plmoakc.exe	wlpzyvg.exe
File opened for modification	C:\Windows\SysWOW64\rihncfw.exe	yirybya.exe
File created	C:\Windows\SysWOW64\gbnaxqz.exe	rihncfw.exe
File created	C:\Windows\SysWOW64\noxwlav.exe	gbnaxqz.exe
File opened for modification	C:\Windows\SysWOW64\ramizbo.exe	ykbcslm.exe
File created	C:\Windows\SysWOW64\veacdpy.exe	cxowwaw.exe
File opened for modification	C:\Windows\SysWOW64\fyyxjxh.exe	pidosjm.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1812	1192	WerFault.exe	82
2924	2320	WerFault.exe	87
32	4688	WerFault.exe	91
2956	2392	WerFault.exe	97
3640	4336	WerFault.exe	105
1784	1904	WerFault.exe	111
3504	4116	WerFault.exe	119
3012	4988	WerFault.exe	123
3096	3848	WerFault.exe	127
4648	1740	WerFault.exe	131
2388	3608	WerFault.exe	135
3828	2744	WerFault.exe	139
832	4312	WerFault.exe	143
5076	3056	WerFault.exe	148
4932	3212	WerFault.exe	152
1844	3804	WerFault.exe	157
3912	3124	WerFault.exe	161
2284	636	WerFault.exe	165
2160	1808	WerFault.exe	169
1824	1892	WerFault.exe	173
832	1372	WerFault.exe	177
5028	4208	WerFault.exe	181
3136	2988	WerFault.exe	185
2228	1576	WerFault.exe	189
1360	1164	WerFault.exe	193
2868	2408	WerFault.exe	197
2692	3420	WerFault.exe	201
516	4084	WerFault.exe	205
4596	2388	WerFault.exe	209
1608	1364	WerFault.exe	213
3588	5116	WerFault.exe	217
3116	3184	WerFault.exe	221
1008	3504	WerFault.exe	225
3180	1312	WerFault.exe	229
3480	1480	WerFault.exe	233
4000	756	WerFault.exe	237
2552	4220	WerFault.exe	241
4908	2312	WerFault.exe	245
348	2028	WerFault.exe	249
2848	4820	WerFault.exe	253
4584	4380	WerFault.exe	257
1464	872	WerFault.exe	261
2784	920	WerFault.exe	265
2536	2868	WerFault.exe	269
2692	2424	WerFault.exe	273
2500	4712	WerFault.exe	277
1416	1780	WerFault.exe	281
4168	212	WerFault.exe	285
4444	4188	WerFault.exe	289
2520	800	WerFault.exe	293
4652	1360	WerFault.exe	297
2044	2052	WerFault.exe	301
2912	1848	WerFault.exe	305
1668	2204	WerFault.exe	309
4796	1384	WerFault.exe	313
4448	2956	WerFault.exe	317
2640	844	WerFault.exe	321
3004	3116	WerFault.exe	325
3316	1820	WerFault.exe	329
2904	760	WerFault.exe	333
2184	808	WerFault.exe	337
3092	3988	WerFault.exe	341
1648	4596	WerFault.exe	345
1056	3856	WerFault.exe	349

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efscuve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nipfrzq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqwocfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	figiqcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atbsaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykazwgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxvehiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thuncta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vaezbjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pesmtuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fqcaheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ghabfrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veacdpy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fyyxjxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cavvmzm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sjcexek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwshmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swjmnaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hoxbfvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzpnucq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqtvory.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skynygc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nroljps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldgjjhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iueuwom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wukzpxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahfcech.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prfsycm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oeakokf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yeweodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gbnaxqz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syfoiah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kfruqqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvmdhwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cthwfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hepqyrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qqfxson.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agyttmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kgcnlnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oylsujs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdlrctv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgllhnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rihncfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	errelex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnbabah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hzfektj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgxiqlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ramizbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lohokre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goulnhr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sycaopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggagkvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niavqbt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjkdtmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plmoakc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofhqeca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yirybya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykbcslm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxowwaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidosjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhxgvvf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlpzyvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noxwlav.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2320	1192	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe	87
PID 1192 wrote to memory of 2320	1192	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe	87
PID 1192 wrote to memory of 2320	1192	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe	87
PID 2320 wrote to memory of 4688	2320	dzpnucq.exe	91
PID 2320 wrote to memory of 4688	2320	dzpnucq.exe	91
PID 2320 wrote to memory of 4688	2320	dzpnucq.exe	91
PID 4688 wrote to memory of 2392	4688	nroljps.exe	97
PID 4688 wrote to memory of 2392	4688	nroljps.exe	97
PID 4688 wrote to memory of 2392	4688	nroljps.exe	97
PID 2392 wrote to memory of 4336	2392	prfsycm.exe	105
PID 2392 wrote to memory of 4336	2392	prfsycm.exe	105
PID 2392 wrote to memory of 4336	2392	prfsycm.exe	105
PID 4336 wrote to memory of 1904	4336	cavvmzm.exe	111
PID 4336 wrote to memory of 1904	4336	cavvmzm.exe	111
PID 4336 wrote to memory of 1904	4336	cavvmzm.exe	111
PID 1904 wrote to memory of 4116	1904	sjcexek.exe	119
PID 1904 wrote to memory of 4116	1904	sjcexek.exe	119
PID 1904 wrote to memory of 4116	1904	sjcexek.exe	119
PID 4116 wrote to memory of 4988	4116	figiqcq.exe	123
PID 4116 wrote to memory of 4988	4116	figiqcq.exe	123
PID 4116 wrote to memory of 4988	4116	figiqcq.exe	123
PID 4988 wrote to memory of 3848	4988	pidosjm.exe	127
PID 4988 wrote to memory of 3848	4988	pidosjm.exe	127
PID 4988 wrote to memory of 3848	4988	pidosjm.exe	127
PID 3848 wrote to memory of 1740	3848	fyyxjxh.exe	131
PID 3848 wrote to memory of 1740	3848	fyyxjxh.exe	131
PID 3848 wrote to memory of 1740	3848	fyyxjxh.exe	131
PID 1740 wrote to memory of 3608	1740	vhxgvvf.exe	135
PID 1740 wrote to memory of 3608	1740	vhxgvvf.exe	135
PID 1740 wrote to memory of 3608	1740	vhxgvvf.exe	135
PID 3608 wrote to memory of 2744	3608	kwshmcj.exe	139
PID 3608 wrote to memory of 2744	3608	kwshmcj.exe	139
PID 3608 wrote to memory of 2744	3608	kwshmcj.exe	139
PID 2744 wrote to memory of 4312	2744	zjkdtmf.exe	143
PID 2744 wrote to memory of 4312	2744	zjkdtmf.exe	143
PID 2744 wrote to memory of 4312	2744	zjkdtmf.exe	143
PID 4312 wrote to memory of 3056	4312	hzfektj.exe	148
PID 4312 wrote to memory of 3056	4312	hzfektj.exe	148
PID 4312 wrote to memory of 3056	4312	hzfektj.exe	148
PID 3056 wrote to memory of 3212	3056	wlpzyvg.exe	152
PID 3056 wrote to memory of 3212	3056	wlpzyvg.exe	152
PID 3056 wrote to memory of 3212	3056	wlpzyvg.exe	152
PID 3212 wrote to memory of 3804	3212	plmoakc.exe	157
PID 3212 wrote to memory of 3804	3212	plmoakc.exe	157
PID 3212 wrote to memory of 3804	3212	plmoakc.exe	157
PID 3804 wrote to memory of 3124	3804	efscuve.exe	161
PID 3804 wrote to memory of 3124	3804	efscuve.exe	161
PID 3804 wrote to memory of 3124	3804	efscuve.exe	161
PID 3124 wrote to memory of 636	3124	ofhqeca.exe	165
PID 3124 wrote to memory of 636	3124	ofhqeca.exe	165
PID 3124 wrote to memory of 636	3124	ofhqeca.exe	165
PID 636 wrote to memory of 1808	636	errelex.exe	169
PID 636 wrote to memory of 1808	636	errelex.exe	169
PID 636 wrote to memory of 1808	636	errelex.exe	169
PID 1808 wrote to memory of 1892	1808	thuncta.exe	173
PID 1808 wrote to memory of 1892	1808	thuncta.exe	173
PID 1808 wrote to memory of 1892	1808	thuncta.exe	173
PID 1892 wrote to memory of 1372	1892	jqtvory.exe	177
PID 1892 wrote to memory of 1372	1892	jqtvory.exe	177
PID 1892 wrote to memory of 1372	1892	jqtvory.exe	177
PID 1372 wrote to memory of 4208	1372	zdlrctv.exe	181
PID 1372 wrote to memory of 4208	1372	zdlrctv.exe	181
PID 1372 wrote to memory of 4208	1372	zdlrctv.exe	181
PID 4208 wrote to memory of 2988	4208	jgllhnq.exe	185

C:\Users\Admin\AppData\Local\Temp\ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 388
  2⤵
  - Program crash
  PID:1812
- C:\Windows\SysWOW64\dzpnucq.exe
  C:\Windows\system32\dzpnucq.exe 1376 "C:\Users\Admin\AppData\Local\Temp\ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 388
    3⤵
    - Program crash
    PID:2924
- - C:\Windows\SysWOW64\nroljps.exe
    C:\Windows\system32\nroljps.exe 1264 "C:\Windows\SysWOW64\dzpnucq.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 388
      4⤵
      Program crash
      PID:32
  - - C:\Windows\SysWOW64\prfsycm.exe
      C:\Windows\system32\prfsycm.exe 1260 "C:\Windows\SysWOW64\nroljps.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 388
        5⤵
        Program crash
        
        PID:2956
    - - C:\Windows\SysWOW64\cavvmzm.exe
        
        C:\Windows\system32\cavvmzm.exe 1392 "C:\Windows\SysWOW64\prfsycm.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 388
        6⤵
        Program crash
        
        PID:3640
      - C:\Windows\SysWOW64\sjcexek.exe
        
        C:\Windows\system32\sjcexek.exe 1324 "C:\Windows\SysWOW64\cavvmzm.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 396
        7⤵
        Program crash
        
        PID:1784
        
        C:\Windows\SysWOW64\figiqcq.exe
        
        C:\Windows\system32\figiqcq.exe 1400 "C:\Windows\SysWOW64\sjcexek.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 388
        8⤵
        Program crash
        
        PID:3504
        
        C:\Windows\SysWOW64\pidosjm.exe
        
        C:\Windows\system32\pidosjm.exe 1432 "C:\Windows\SysWOW64\figiqcq.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 388
        9⤵
        Program crash
        
        PID:3012
        
        C:\Windows\SysWOW64\fyyxjxh.exe
        
        C:\Windows\system32\fyyxjxh.exe 1300 "C:\Windows\SysWOW64\pidosjm.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 388
        10⤵
        Program crash
        
        PID:3096
        
        C:\Windows\SysWOW64\vhxgvvf.exe
        
        C:\Windows\system32\vhxgvvf.exe 1384 "C:\Windows\SysWOW64\fyyxjxh.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 388
        11⤵
        Program crash
        
        PID:4648
        
        C:\Windows\SysWOW64\kwshmcj.exe
        
        C:\Windows\system32\kwshmcj.exe 1440 "C:\Windows\SysWOW64\vhxgvvf.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 392
        12⤵
        Program crash
        
        PID:2388
        
        C:\Windows\SysWOW64\zjkdtmf.exe
        
        C:\Windows\system32\zjkdtmf.exe 1452 "C:\Windows\SysWOW64\kwshmcj.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 388
        13⤵
        Program crash
        
        PID:3828
        
        C:\Windows\SysWOW64\hzfektj.exe
        
        C:\Windows\system32\hzfektj.exe 1304 "C:\Windows\SysWOW64\zjkdtmf.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 400
        14⤵
        Program crash
        
        PID:832
        
        C:\Windows\SysWOW64\wlpzyvg.exe
        
        C:\Windows\system32\wlpzyvg.exe 1464 "C:\Windows\SysWOW64\hzfektj.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 388
        15⤵
        Program crash
        
        PID:5076
        
        C:\Windows\SysWOW64\plmoakc.exe
        
        C:\Windows\system32\plmoakc.exe 1320 "C:\Windows\SysWOW64\wlpzyvg.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 392
        16⤵
        Program crash
        
        PID:4932
        
        C:\Windows\SysWOW64\efscuve.exe
        
        C:\Windows\system32\efscuve.exe 1340 "C:\Windows\SysWOW64\plmoakc.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 388
        17⤵
        Program crash
        
        PID:1844
        
        C:\Windows\SysWOW64\ofhqeca.exe
        
        C:\Windows\system32\ofhqeca.exe 1488 "C:\Windows\SysWOW64\efscuve.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 392
        18⤵
        Program crash
        
        PID:3912
        
        C:\Windows\SysWOW64\errelex.exe
        
        C:\Windows\system32\errelex.exe 1352 "C:\Windows\SysWOW64\ofhqeca.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 392
        19⤵
        Program crash
        
        PID:2284
        
        C:\Windows\SysWOW64\thuncta.exe
        
        C:\Windows\system32\thuncta.exe 1508 "C:\Windows\SysWOW64\errelex.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 388
        20⤵
        Program crash
        
        PID:2160
        
        C:\Windows\SysWOW64\jqtvory.exe
        
        C:\Windows\system32\jqtvory.exe 1356 "C:\Windows\SysWOW64\thuncta.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 392
        21⤵
        Program crash
        
        PID:1824
        
        C:\Windows\SysWOW64\zdlrctv.exe
        
        C:\Windows\system32\zdlrctv.exe 1372 "C:\Windows\SysWOW64\jqtvory.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 388
        22⤵
        Program crash
        
        PID:832
        
        C:\Windows\SysWOW64\jgllhnq.exe
        
        C:\Windows\system32\jgllhnq.exe 1532 "C:\Windows\SysWOW64\zdlrctv.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 388
        23⤵
        Program crash
        
        PID:5028
        
        C:\Windows\SysWOW64\yirybya.exe
        
        C:\Windows\system32\yirybya.exe 1536 "C:\Windows\SysWOW64\jgllhnq.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 388
        24⤵
        Program crash
        
        PID:3136
        
        C:\Windows\SysWOW64\rihncfw.exe
        
        C:\Windows\system32\rihncfw.exe 1404 "C:\Windows\SysWOW64\yirybya.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 388
        25⤵
        Program crash
        
        PID:2228
        
        C:\Windows\SysWOW64\gbnaxqz.exe
        
        C:\Windows\system32\gbnaxqz.exe 1412 "C:\Windows\SysWOW64\rihncfw.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 388
        26⤵
        Program crash
        
        PID:1360
        
        C:\Windows\SysWOW64\noxwlav.exe
        
        C:\Windows\system32\noxwlav.exe 1424 "C:\Windows\SysWOW64\gbnaxqz.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 388
        27⤵
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\goulnhr.exe
        
        C:\Windows\system32\goulnhr.exe 1428 "C:\Windows\SysWOW64\noxwlav.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 388
        28⤵
        Program crash
        
        PID:2692
        
        C:\Windows\SysWOW64\vaezbjo.exe
        
        C:\Windows\system32\vaezbjo.exe 1576 "C:\Windows\SysWOW64\goulnhr.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 388
        29⤵
        Program crash
        
        PID:516
        
        C:\Windows\SysWOW64\nipfrzq.exe
        
        C:\Windows\system32\nipfrzq.exe 1448 "C:\Windows\SysWOW64\vaezbjo.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 396
        30⤵
        Program crash
        
        PID:4596
        
        C:\Windows\SysWOW64\dqwocfo.exe
        
        C:\Windows\system32\dqwocfo.exe 1468 "C:\Windows\SysWOW64\nipfrzq.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 388
        31⤵
        Program crash
        
        PID:1608
        
        C:\Windows\SysWOW64\ldgjjhk.exe
        
        C:\Windows\system32\ldgjjhk.exe 1472 "C:\Windows\SysWOW64\dqwocfo.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 392
        32⤵
        Program crash
        
        PID:3588
        
        C:\Windows\SysWOW64\atbsaoo.exe
        
        C:\Windows\system32\atbsaoo.exe 1460 "C:\Windows\SysWOW64\ldgjjhk.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 388
        33⤵
        Program crash
        
        PID:3116
        
        C:\Windows\SysWOW64\swjmnaj.exe
        
        C:\Windows\system32\swjmnaj.exe 1624 "C:\Windows\SysWOW64\atbsaoo.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 388
        34⤵
        Program crash
        
        PID:1008
        
        C:\Windows\SysWOW64\iueuwom.exe
        
        C:\Windows\system32\iueuwom.exe 1500 "C:\Windows\SysWOW64\swjmnaj.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 392
        35⤵
        Program crash
        
        PID:3180
        
        C:\Windows\SysWOW64\syfoiah.exe
        
        C:\Windows\system32\syfoiah.exe 1504 "C:\Windows\SysWOW64\iueuwom.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 388
        36⤵
        Program crash
        
        PID:3480
        
        C:\Windows\SysWOW64\kfruqqj.exe
        
        C:\Windows\system32\kfruqqj.exe 1516 "C:\Windows\SysWOW64\syfoiah.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 384
        37⤵
        Program crash
        
        PID:4000
        
        C:\Windows\SysWOW64\zvmdhwm.exe
        
        C:\Windows\system32\zvmdhwm.exe 1524 "C:\Windows\SysWOW64\kfruqqj.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 388
        38⤵
        Program crash
        
        PID:2552
        
        C:\Windows\SysWOW64\pesmtuc.exe
        
        C:\Windows\system32\pesmtuc.exe 1540 "C:\Windows\SysWOW64\zvmdhwm.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 388
        39⤵
        Program crash
        
        PID:4908
        
        C:\Windows\SysWOW64\fqcaheh.exe
        
        C:\Windows\system32\fqcaheh.exe 1528 "C:\Windows\SysWOW64\pesmtuc.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 388
        40⤵
        Program crash
        
        PID:348
        
        C:\Windows\SysWOW64\mgxiqlc.exe
        
        C:\Windows\system32\mgxiqlc.exe 1548 "C:\Windows\SysWOW64\fqcaheh.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 388
        41⤵
        Program crash
        
        PID:2848
        
        C:\Windows\SysWOW64\cthwfnh.exe
        
        C:\Windows\system32\cthwfnh.exe 1672 "C:\Windows\SysWOW64\mgxiqlc.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 388
        42⤵
        Program crash
        
        PID:4584
        
        C:\Windows\SysWOW64\sycaopy.exe
        
        C:\Windows\system32\sycaopy.exe 1568 "C:\Windows\SysWOW64\cthwfnh.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 388
        43⤵
        Program crash
        
        PID:1464
        
        C:\Windows\SysWOW64\hoxbfvc.exe
        
        C:\Windows\system32\hoxbfvc.exe 1696 "C:\Windows\SysWOW64\sycaopy.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 392
        44⤵
        Program crash
        
        PID:2784
        
        C:\Windows\SysWOW64\oeakokf.exe
        
        C:\Windows\system32\oeakokf.exe 1572 "C:\Windows\SysWOW64\hoxbfvc.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 400
        45⤵
        Program crash
        
        PID:2536
        
        C:\Windows\SysWOW64\hepqyrt.exe
        
        C:\Windows\system32\hepqyrt.exe 1712 "C:\Windows\SysWOW64\oeakokf.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 384
        46⤵
        Program crash
        
        PID:2692
        
        C:\Windows\SysWOW64\wukzpxx.exe
        
        C:\Windows\system32\wukzpxx.exe 1600 "C:\Windows\SysWOW64\hepqyrt.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 388
        47⤵
        Program crash
        
        PID:2500
        
        C:\Windows\SysWOW64\oylsujs.exe
        
        C:\Windows\system32\oylsujs.exe 1728 "C:\Windows\SysWOW64\wukzpxx.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 388
        48⤵
        Program crash
        
        PID:1416
        
        C:\Windows\SysWOW64\hctthvu.exe
        
        C:\Windows\system32\hctthvu.exe 1608 "C:\Windows\SysWOW64\oylsujs.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 392
        49⤵
        Program crash
        
        PID:4168
        
        C:\Windows\SysWOW64\odahbfx.exe
        
        C:\Windows\system32\odahbfx.exe 1744 "C:\Windows\SysWOW64\hctthvu.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 388
        50⤵
        Program crash
        
        PID:4444
        
        C:\Windows\SysWOW64\ghabfrs.exe
        
        C:\Windows\system32\ghabfrs.exe 1620 "C:\Windows\SysWOW64\odahbfx.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 388
        51⤵
        Program crash
        
        PID:2520
        
        C:\Windows\SysWOW64\ykbcslm.exe
        
        C:\Windows\system32\ykbcslm.exe 1760 "C:\Windows\SysWOW64\ghabfrs.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 388
        52⤵
        Program crash
        
        PID:4652
        
        C:\Windows\SysWOW64\ramizbo.exe
        
        C:\Windows\system32\ramizbo.exe 1768 "C:\Windows\SysWOW64\ykbcslm.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 388
        53⤵
        Program crash
        
        PID:2044
        
        C:\Windows\SysWOW64\yeweodl.exe
        
        C:\Windows\system32\yeweodl.exe 1636 "C:\Windows\SysWOW64\ramizbo.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 388
        54⤵
        Program crash
        
        PID:2912
        
        C:\Windows\SysWOW64\qqfxson.exe
        
        C:\Windows\system32\qqfxson.exe 1788 "C:\Windows\SysWOW64\yeweodl.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 392
        55⤵
        Program crash
        
        PID:1668
        
        C:\Windows\SysWOW64\ggagkvj.exe
        
        C:\Windows\system32\ggagkvj.exe 1792 "C:\Windows\SysWOW64\qqfxson.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 384
        56⤵
        Program crash
        
        PID:4796
        
        C:\Windows\SysWOW64\ykazwgm.exe
        
        C:\Windows\system32\ykazwgm.exe 1800 "C:\Windows\SysWOW64\ggagkvj.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 388
        57⤵
        Program crash
        
        PID:4448
        
        C:\Windows\SysWOW64\qnbabah.exe
        
        C:\Windows\system32\qnbabah.exe 1652 "C:\Windows\SysWOW64\ykazwgm.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 388
        58⤵
        Program crash
        
        PID:2640
        
        C:\Windows\SysWOW64\agyttmh.exe
        
        C:\Windows\system32\agyttmh.exe 1820 "C:\Windows\SysWOW64\qnbabah.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 388
        59⤵
        Program crash
        
        PID:3004
        
        C:\Windows\SysWOW64\skynygc.exe
        
        C:\Windows\system32\skynygc.exe 1824 "C:\Windows\SysWOW64\agyttmh.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 388
        60⤵
        Program crash
        
        PID:3316
        
        C:\Windows\SysWOW64\lohokre.exe
        
        C:\Windows\system32\lohokre.exe 1668 "C:\Windows\SysWOW64\skynygc.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 388
        61⤵
        Program crash
        
        PID:2904
        
        C:\Windows\SysWOW64\ahfcech.exe
        
        C:\Windows\system32\ahfcech.exe 1840 "C:\Windows\SysWOW64\lohokre.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 392
        62⤵
        Program crash
        
        PID:2184
        
        C:\Windows\SysWOW64\khcigkd.exe
        
        C:\Windows\system32\khcigkd.exe 1856 "C:\Windows\SysWOW64\ahfcech.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 392
        63⤵
        Program crash
        
        PID:3092
        
        C:\Windows\SysWOW64\cxowwaw.exe
        
        C:\Windows\system32\cxowwaw.exe 1864 "C:\Windows\SysWOW64\khcigkd.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 388
        64⤵
        Program crash
        
        PID:1648
        
        C:\Windows\SysWOW64\veacdpy.exe
        
        C:\Windows\system32\veacdpy.exe 1872 "C:\Windows\SysWOW64\cxowwaw.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 388
        65⤵
        Program crash
        
        PID:1056
        
        C:\Windows\SysWOW64\niavqbt.exe
        
        C:\Windows\system32\niavqbt.exe 1868 "C:\Windows\SysWOW64\veacdpy.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 388
        66⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cxvehiw.exe
        
        C:\Windows\system32\cxvehiw.exe 1880 "C:\Windows\SysWOW64\niavqbt.exe"
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 392
        67⤵
        
        PID:320
        
        C:\Windows\SysWOW64\kgcnlnu.exe
        
        C:\Windows\system32\kgcnlnu.exe 1896 "C:\Windows\SysWOW64\cxvehiw.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 388
        68⤵
        
        PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1192 -ip 1192
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2320 -ip 2320
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4688 -ip 4688
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2392 -ip 2392
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4336 -ip 4336
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1904 -ip 1904
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4116 -ip 4116
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4988 -ip 4988
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3848 -ip 3848
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1740 -ip 1740
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3608 -ip 3608
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2744 -ip 2744
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4312 -ip 4312
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3056 -ip 3056
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3212 -ip 3212
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3804 -ip 3804
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3124 -ip 3124
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 636 -ip 636
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1808 -ip 1808
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1892 -ip 1892
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1372 -ip 1372
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4208 -ip 4208
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2988 -ip 2988
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1576 -ip 1576
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1164 -ip 1164
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2408 -ip 2408
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3420 -ip 3420
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4084 -ip 4084
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2388 -ip 2388
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1364 -ip 1364
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5116 -ip 5116
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3184 -ip 3184
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3504 -ip 3504
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1312 -ip 1312
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1480 -ip 1480
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 756 -ip 756
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4220 -ip 4220
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2312 -ip 2312
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2028 -ip 2028
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4820 -ip 4820
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4380 -ip 4380
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 872 -ip 872
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 920 -ip 920
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2868 -ip 2868
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2424 -ip 2424
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4712 -ip 4712
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1780 -ip 1780
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 212 -ip 212
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4188 -ip 4188
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 800 -ip 800
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1360 -ip 1360
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2052 -ip 2052
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1848 -ip 1848
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2204 -ip 2204
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1384 -ip 1384
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2956 -ip 2956
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 844 -ip 844
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3116 -ip 3116
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1820 -ip 1820
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 760 -ip 760
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 808 -ip 808
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3988 -ip 3988
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4596 -ip 4596
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3856 -ip 3856
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3612 -ip 3612
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4876 -ip 4876
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1572 -ip 1572
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dzpnucq.exe

Filesize
274KB

MD5
ce46eb95fece1606dc284b8c04b493d2

SHA1
ddf05e9185be47fa1cf11cf3d296ec66f81f6477

SHA256
5db97f76d33bf29c3ddabd323840e6456afd92014059b39e809575a4b6d2f290

SHA512
751ea1f43bab69d63151b076f4c689018743a8c5a3adcc162429718c1891de64e1c4953440eab7b5c55242f0dd2dbba0d4e4f91ae84be6e807af679e004daa16

Download Submit
memory/212-339-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/636-145-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/756-267-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/760-411-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/800-351-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/808-417-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/844-393-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/872-303-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/920-309-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1164-194-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1192-14-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1192-0-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1192-3-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1192-15-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download
memory/1192-2-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download
memory/1192-4-0x0000000002450000-0x0000000002455000-memory.dmp

Filesize
20KB

Download
memory/1192-5-0x0000000002B20000-0x0000000002B4C000-memory.dmp

Filesize
176KB

Download
memory/1312-255-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1360-357-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1364-230-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1372-166-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1384-381-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1480-261-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1576-187-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1740-89-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1780-333-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1808-152-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1820-405-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1848-369-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1892-159-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1904-61-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2028-285-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2052-363-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2204-375-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2312-279-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2320-28-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/2320-16-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2320-12-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2320-13-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/2320-29-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2320-17-0x0000000002390000-0x0000000002395000-memory.dmp

Filesize
20KB

Download
memory/2320-18-0x00000000028C0000-0x00000000028EC000-memory.dmp

Filesize
176KB

Download
memory/2388-223-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2392-47-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2408-201-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2424-321-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2744-103-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2868-315-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2956-387-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2988-180-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3056-117-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3116-399-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3124-138-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3184-244-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3212-116-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3212-124-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3420-209-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3504-249-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3608-96-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3612-441-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3804-131-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3848-82-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3856-435-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/3988-423-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4084-216-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4116-60-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4116-68-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4188-345-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4208-173-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4220-273-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4312-110-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4336-54-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4380-297-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4596-429-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4688-32-0x00000000029E0000-0x0000000002A0C000-memory.dmp

Filesize
176KB

Download
memory/4688-31-0x0000000000770000-0x0000000000775000-memory.dmp

Filesize
20KB

Download
memory/4688-39-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4688-30-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4688-25-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4688-26-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/4688-40-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/4712-327-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4820-291-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4876-447-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/4988-75-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/5116-237-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download