metasploit | 17692e2c673b9864ea7a1de50201c5ea584c97e873214decd521d19e88929a0f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
Size

168KB
MD5

86584144a2d1a5daba6742ad57990711
SHA1

75b11e27bfe8c0368d5cde98243a5ce98cf6057d
SHA256

17692e2c673b9864ea7a1de50201c5ea584c97e873214decd521d19e88929a0f
SHA512

523b1b5937113f8993236893b48ca2b988b6a91c54d5dcbdb09a99aa3680aad0d9025d43639946b563ff1c790df56e3be8fe9c9d589d74b3b95e95dcfa1cc82e
SSDEEP

3072:4dSNzTtd65UuhJNf4mpDzKXtkpF7PE7mkUWGdVRfXDIXOqx:4+z6XhADXCpF7PcISr

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wnpdx4.exe

Deletes itself 1 IoCs

pid	Process
220	wnpdx4.exe

Executes dropped EXE 64 IoCs

pid	Process
1612	wnpdx4.exe
220	wnpdx4.exe
4848	wnpdx4.exe
4760	wnpdx4.exe
2736	wnpdx4.exe
400	wnpdx4.exe
2840	wnpdx4.exe
4128	wnpdx4.exe
1040	wnpdx4.exe
4600	wnpdx4.exe
3032	wnpdx4.exe
3260	wnpdx4.exe
2000	wnpdx4.exe
3044	wnpdx4.exe
5028	wnpdx4.exe
2948	wnpdx4.exe
4740	wnpdx4.exe
2684	wnpdx4.exe
1168	wnpdx4.exe
1000	wnpdx4.exe
768	wnpdx4.exe
2712	wnpdx4.exe
1956	wnpdx4.exe
3048	wnpdx4.exe
4696	wnpdx4.exe
1372	wnpdx4.exe
3868	wnpdx4.exe
368	wnpdx4.exe
2140	wnpdx4.exe
3748	wnpdx4.exe
688	wnpdx4.exe
3624	wnpdx4.exe
3348	wnpdx4.exe
1504	wnpdx4.exe
1180	wnpdx4.exe
224	wnpdx4.exe
2808	wnpdx4.exe
2812	wnpdx4.exe
1756	wnpdx4.exe
3872	wnpdx4.exe
1688	wnpdx4.exe
1660	wnpdx4.exe
2132	wnpdx4.exe
1956	wnpdx4.exe
5044	wnpdx4.exe
404	wnpdx4.exe
748	wnpdx4.exe
1584	wnpdx4.exe
1304	wnpdx4.exe
2728	wnpdx4.exe
916	wnpdx4.exe
2816	wnpdx4.exe
3792	wnpdx4.exe
3220	wnpdx4.exe
5072	wnpdx4.exe
1256	wnpdx4.exe
1732	wnpdx4.exe
2612	wnpdx4.exe
4996	wnpdx4.exe
4040	wnpdx4.exe
4372	wnpdx4.exe
3804	wnpdx4.exe
2132	wnpdx4.exe
4552	wnpdx4.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3736-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3736-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3736-3-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3736-4-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3736-38-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/220-45-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/220-44-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/220-43-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/220-47-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4760-53-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4760-55-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/400-59-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/400-60-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/400-61-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/400-64-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4128-68-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4128-69-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4128-70-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4600-77-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4600-78-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3260-86-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3044-90-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3044-91-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3044-93-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2948-97-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2948-99-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2948-98-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2948-102-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2684-106-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2684-107-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2684-109-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1000-115-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1000-119-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2712-124-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2712-126-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3048-135-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1372-144-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/368-149-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/368-153-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3748-161-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3624-166-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3624-171-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1504-176-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1504-180-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/224-188-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2812-193-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2812-198-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3872-203-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3872-207-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1660-212-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1660-217-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1956-225-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/404-234-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1584-240-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2728-244-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2728-247-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2816-250-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2816-254-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3220-257-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3220-261-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1256-265-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1256-268-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2612-272-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2612-275-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpdx4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpdx4.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File opened for modification	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe
File created	C:\Windows\SysWOW64\wnpdx4.exe	wnpdx4.exe

Suspicious use of SetThreadContext 48 IoCs

description	pid	Process	procid_target
PID 5028 set thread context of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 1612 set thread context of 220	1612	wnpdx4.exe	91
PID 4848 set thread context of 4760	4848	wnpdx4.exe	95
PID 2736 set thread context of 400	2736	wnpdx4.exe	98
PID 2840 set thread context of 4128	2840	wnpdx4.exe	101
PID 1040 set thread context of 4600	1040	wnpdx4.exe	104
PID 3032 set thread context of 3260	3032	wnpdx4.exe	106
PID 2000 set thread context of 3044	2000	wnpdx4.exe	108
PID 5028 set thread context of 2948	5028	wnpdx4.exe	110
PID 4740 set thread context of 2684	4740	wnpdx4.exe	112
PID 1168 set thread context of 1000	1168	wnpdx4.exe	115
PID 768 set thread context of 2712	768	wnpdx4.exe	118
PID 1956 set thread context of 3048	1956	wnpdx4.exe	121
PID 4696 set thread context of 1372	4696	wnpdx4.exe	123
PID 3868 set thread context of 368	3868	wnpdx4.exe	125
PID 2140 set thread context of 3748	2140	wnpdx4.exe	127
PID 688 set thread context of 3624	688	wnpdx4.exe	129
PID 3348 set thread context of 1504	3348	wnpdx4.exe	131
PID 1180 set thread context of 224	1180	wnpdx4.exe	133
PID 2808 set thread context of 2812	2808	wnpdx4.exe	135
PID 1756 set thread context of 3872	1756	wnpdx4.exe	137
PID 1688 set thread context of 1660	1688	wnpdx4.exe	141
PID 2132 set thread context of 1956	2132	wnpdx4.exe	143
PID 5044 set thread context of 404	5044	wnpdx4.exe	145
PID 748 set thread context of 1584	748	wnpdx4.exe	147
PID 1304 set thread context of 2728	1304	wnpdx4.exe	149
PID 916 set thread context of 2816	916	wnpdx4.exe	151
PID 3792 set thread context of 3220	3792	wnpdx4.exe	153
PID 5072 set thread context of 1256	5072	wnpdx4.exe	155
PID 1732 set thread context of 2612	1732	wnpdx4.exe	157
PID 4996 set thread context of 4040	4996	wnpdx4.exe	159
PID 4372 set thread context of 3804	4372	wnpdx4.exe	161
PID 2132 set thread context of 4552	2132	wnpdx4.exe	167
PID 2208 set thread context of 4676	2208	wnpdx4.exe	173
PID 3208 set thread context of 1352	3208	wnpdx4.exe	175
PID 1176 set thread context of 2248	1176	wnpdx4.exe	177
PID 2672 set thread context of 2768	2672	wnpdx4.exe	179
PID 2952 set thread context of 4620	2952	wnpdx4.exe	181
PID 4968 set thread context of 4388	4968	wnpdx4.exe	183
PID 384 set thread context of 840	384	wnpdx4.exe	185
PID 408 set thread context of 3040	408	wnpdx4.exe	187
PID 4064 set thread context of 3704	4064	wnpdx4.exe	189
PID 560 set thread context of 3196	560	wnpdx4.exe	191
PID 2508 set thread context of 5020	2508	wnpdx4.exe	193
PID 4604 set thread context of 932	4604	wnpdx4.exe	195
PID 4776 set thread context of 4320	4776	wnpdx4.exe	200
PID 2672 set thread context of 440	2672	wnpdx4.exe	202
PID 2004 set thread context of 1484	2004	wnpdx4.exe	204

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpdx4.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpdx4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3736	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
3736	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
220	wnpdx4.exe
220	wnpdx4.exe
4760	wnpdx4.exe
4760	wnpdx4.exe
400	wnpdx4.exe
400	wnpdx4.exe
4128	wnpdx4.exe
4128	wnpdx4.exe
4600	wnpdx4.exe
4600	wnpdx4.exe
3260	wnpdx4.exe
3260	wnpdx4.exe
3044	wnpdx4.exe
3044	wnpdx4.exe
2948	wnpdx4.exe
2948	wnpdx4.exe
2684	wnpdx4.exe
2684	wnpdx4.exe
1000	wnpdx4.exe
1000	wnpdx4.exe
2712	wnpdx4.exe
2712	wnpdx4.exe
3048	wnpdx4.exe
3048	wnpdx4.exe
1372	wnpdx4.exe
1372	wnpdx4.exe
368	wnpdx4.exe
368	wnpdx4.exe
3748	wnpdx4.exe
3748	wnpdx4.exe
3624	wnpdx4.exe
3624	wnpdx4.exe
1504	wnpdx4.exe
1504	wnpdx4.exe
224	wnpdx4.exe
224	wnpdx4.exe
2812	wnpdx4.exe
2812	wnpdx4.exe
3872	wnpdx4.exe
3872	wnpdx4.exe
1660	wnpdx4.exe
1660	wnpdx4.exe
1956	wnpdx4.exe
1956	wnpdx4.exe
404	wnpdx4.exe
404	wnpdx4.exe
1584	wnpdx4.exe
1584	wnpdx4.exe
2728	wnpdx4.exe
2728	wnpdx4.exe
2816	wnpdx4.exe
2816	wnpdx4.exe
3220	wnpdx4.exe
3220	wnpdx4.exe
1256	wnpdx4.exe
1256	wnpdx4.exe
2612	wnpdx4.exe
2612	wnpdx4.exe
4040	wnpdx4.exe
4040	wnpdx4.exe
3804	wnpdx4.exe
3804	wnpdx4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 5028 wrote to memory of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 5028 wrote to memory of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 5028 wrote to memory of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 5028 wrote to memory of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 5028 wrote to memory of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 5028 wrote to memory of 3736	5028	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	84
PID 3736 wrote to memory of 1612	3736	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	90
PID 3736 wrote to memory of 1612	3736	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	90
PID 3736 wrote to memory of 1612	3736	86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe	90
PID 1612 wrote to memory of 220	1612	wnpdx4.exe	91
PID 1612 wrote to memory of 220	1612	wnpdx4.exe	91
PID 1612 wrote to memory of 220	1612	wnpdx4.exe	91
PID 1612 wrote to memory of 220	1612	wnpdx4.exe	91
PID 1612 wrote to memory of 220	1612	wnpdx4.exe	91
PID 1612 wrote to memory of 220	1612	wnpdx4.exe	91
PID 1612 wrote to memory of 220	1612	wnpdx4.exe	91
PID 220 wrote to memory of 4848	220	wnpdx4.exe	94
PID 220 wrote to memory of 4848	220	wnpdx4.exe	94
PID 220 wrote to memory of 4848	220	wnpdx4.exe	94
PID 4848 wrote to memory of 4760	4848	wnpdx4.exe	95
PID 4848 wrote to memory of 4760	4848	wnpdx4.exe	95
PID 4848 wrote to memory of 4760	4848	wnpdx4.exe	95
PID 4848 wrote to memory of 4760	4848	wnpdx4.exe	95
PID 4848 wrote to memory of 4760	4848	wnpdx4.exe	95
PID 4848 wrote to memory of 4760	4848	wnpdx4.exe	95
PID 4848 wrote to memory of 4760	4848	wnpdx4.exe	95
PID 4760 wrote to memory of 2736	4760	wnpdx4.exe	97
PID 4760 wrote to memory of 2736	4760	wnpdx4.exe	97
PID 4760 wrote to memory of 2736	4760	wnpdx4.exe	97
PID 2736 wrote to memory of 400	2736	wnpdx4.exe	98
PID 2736 wrote to memory of 400	2736	wnpdx4.exe	98
PID 2736 wrote to memory of 400	2736	wnpdx4.exe	98
PID 2736 wrote to memory of 400	2736	wnpdx4.exe	98
PID 2736 wrote to memory of 400	2736	wnpdx4.exe	98
PID 2736 wrote to memory of 400	2736	wnpdx4.exe	98
PID 2736 wrote to memory of 400	2736	wnpdx4.exe	98
PID 400 wrote to memory of 2840	400	wnpdx4.exe	100
PID 400 wrote to memory of 2840	400	wnpdx4.exe	100
PID 400 wrote to memory of 2840	400	wnpdx4.exe	100
PID 2840 wrote to memory of 4128	2840	wnpdx4.exe	101
PID 2840 wrote to memory of 4128	2840	wnpdx4.exe	101
PID 2840 wrote to memory of 4128	2840	wnpdx4.exe	101
PID 2840 wrote to memory of 4128	2840	wnpdx4.exe	101
PID 2840 wrote to memory of 4128	2840	wnpdx4.exe	101
PID 2840 wrote to memory of 4128	2840	wnpdx4.exe	101
PID 2840 wrote to memory of 4128	2840	wnpdx4.exe	101
PID 4128 wrote to memory of 1040	4128	wnpdx4.exe	103
PID 4128 wrote to memory of 1040	4128	wnpdx4.exe	103
PID 4128 wrote to memory of 1040	4128	wnpdx4.exe	103
PID 1040 wrote to memory of 4600	1040	wnpdx4.exe	104
PID 1040 wrote to memory of 4600	1040	wnpdx4.exe	104
PID 1040 wrote to memory of 4600	1040	wnpdx4.exe	104
PID 1040 wrote to memory of 4600	1040	wnpdx4.exe	104
PID 1040 wrote to memory of 4600	1040	wnpdx4.exe	104
PID 1040 wrote to memory of 4600	1040	wnpdx4.exe	104
PID 1040 wrote to memory of 4600	1040	wnpdx4.exe	104
PID 4600 wrote to memory of 3032	4600	wnpdx4.exe	105
PID 4600 wrote to memory of 3032	4600	wnpdx4.exe	105
PID 4600 wrote to memory of 3032	4600	wnpdx4.exe	105
PID 3032 wrote to memory of 3260	3032	wnpdx4.exe	106
PID 3032 wrote to memory of 3260	3032	wnpdx4.exe	106
PID 3032 wrote to memory of 3260	3032	wnpdx4.exe	106
PID 3032 wrote to memory of 3260	3032	wnpdx4.exe	106

C:\Users\Admin\AppData\Local\Temp\86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\86584144a2d1a5daba6742ad57990711_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\wnpdx4.exe
    "C:\Windows\system32\wnpdx4.exe" C:\Users\Admin\AppData\Local\Temp\865841~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\wnpdx4.exe
      "C:\Windows\system32\wnpdx4.exe" C:\Users\Admin\AppData\Local\Temp\865841~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3260
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1168
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4696
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3868
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:368
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3348
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1180
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:224
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1756
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3872
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2132
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:404
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1304
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3220
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1732
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4040
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4372
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2132
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:2208
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        69⤵
        Suspicious use of SetThreadContext
        
        PID:3208
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        71⤵
        Suspicious use of SetThreadContext
        
        PID:1176
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        73⤵
        Suspicious use of SetThreadContext
        
        PID:2672
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2952
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:4968
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        83⤵
        Suspicious use of SetThreadContext
        
        PID:4064
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        84⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        87⤵
        Suspicious use of SetThreadContext
        
        PID:2508
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        88⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        89⤵
        Suspicious use of SetThreadContext
        
        PID:4604
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        90⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        92⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        94⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        96⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\wnpdx4.exe
        
        "C:\Windows\system32\wnpdx4.exe" C:\Windows\SysWOW64\wnpdx4.exe
        98⤵
        
        PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wnpdx4.exe

Filesize
168KB

MD5
86584144a2d1a5daba6742ad57990711

SHA1
75b11e27bfe8c0368d5cde98243a5ce98cf6057d

SHA256
17692e2c673b9864ea7a1de50201c5ea584c97e873214decd521d19e88929a0f

SHA512
523b1b5937113f8993236893b48ca2b988b6a91c54d5dcbdb09a99aa3680aad0d9025d43639946b563ff1c790df56e3be8fe9c9d589d74b3b95e95dcfa1cc82e

Download Submit
memory/220-47-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/220-45-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/220-44-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/220-43-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/224-188-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/368-153-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/368-149-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/400-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/400-60-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/400-61-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/400-59-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/404-234-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/440-390-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/440-394-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/840-341-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/840-345-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/932-380-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/932-376-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1000-115-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1000-119-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1256-268-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1256-265-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1352-307-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1352-310-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1372-144-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1484-401-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1484-397-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1504-180-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1504-176-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1584-240-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1660-212-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1660-217-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1956-225-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2248-314-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2248-317-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2612-275-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2612-272-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2684-109-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2684-107-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2684-106-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2712-126-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2712-124-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2728-247-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2728-244-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2768-324-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2768-321-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2812-193-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2812-198-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2816-254-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2816-250-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-99-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-97-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-98-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2948-102-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3040-348-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3040-352-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3044-91-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3044-93-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3044-90-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3048-135-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3196-366-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3196-362-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3220-257-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3220-261-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3260-86-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3624-171-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3624-166-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3704-359-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3704-356-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3736-38-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3736-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3736-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3736-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3736-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3748-161-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3804-289-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3804-286-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3872-207-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3872-203-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4040-279-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4040-282-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4128-70-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4128-69-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4128-68-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4320-387-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4320-384-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4388-334-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4388-338-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4552-293-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4552-296-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4600-77-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4600-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4620-331-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4620-328-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4676-303-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4676-300-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4760-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4760-53-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5020-369-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5020-373-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download