27f10960594dc8b1c59001087b6027c19a583bea16ce4cac19efa71ed0b2e548

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe
Size

28KB
MD5

bf38333a1243cf12ea3216cc2f07bd24
SHA1

53c8653bc4cf317b3d8c1cdbd9aa6a65b8bdc308
SHA256

27f10960594dc8b1c59001087b6027c19a583bea16ce4cac19efa71ed0b2e548
SHA512

84ba45f4fefc3bc70cf470c11a93ddf1613df5aa1562bd808020b916c9ced96bcfd45a67ad78fcf7c986686586a1cc19e49ad44977d4ed06a229350248818c11
SSDEEP

768:SKH3OqDqRniZdPHeELIO3FrDyUxfha5G:SKXvGmdfeEsetOmP

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023482-4.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wintemp.exe

Executes dropped EXE 64 IoCs

pid	Process
3136	wintemp.exe
1500	wintemp.exe
4776	wintemp.exe
2860	wintemp.exe
4920	wintemp.exe
2692	wintemp.exe
368	wintemp.exe
4220	wintemp.exe
2044	wintemp.exe
4940	wintemp.exe
4136	wintemp.exe
800	wintemp.exe
1520	wintemp.exe
5048	wintemp.exe
4424	wintemp.exe
2300	wintemp.exe
2592	wintemp.exe
3064	wintemp.exe
116	wintemp.exe
2232	wintemp.exe
1740	wintemp.exe
4120	wintemp.exe
4184	wintemp.exe
532	wintemp.exe
1240	wintemp.exe
1612	wintemp.exe
4920	wintemp.exe
2396	wintemp.exe
3716	wintemp.exe
2956	wintemp.exe
2896	wintemp.exe
3484	wintemp.exe
220	wintemp.exe
3532	wintemp.exe
2864	wintemp.exe
2180	wintemp.exe
3004	wintemp.exe
2968	wintemp.exe
460	wintemp.exe
4532	wintemp.exe
4448	wintemp.exe
2960	wintemp.exe
4884	wintemp.exe
2304	wintemp.exe
548	wintemp.exe
856	wintemp.exe
4456	wintemp.exe
4904	wintemp.exe
3868	wintemp.exe
3212	wintemp.exe
464	wintemp.exe
3060	wintemp.exe
3716	wintemp.exe
652	wintemp.exe
1064	wintemp.exe
3564	wintemp.exe
3324	wintemp.exe
1992	wintemp.exe
4308	wintemp.exe
4676	wintemp.exe
460	wintemp.exe
3928	wintemp.exe
4892	wintemp.exe
2856	wintemp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wintemp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3136	2784	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe	89
PID 2784 wrote to memory of 3136	2784	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe	89
PID 2784 wrote to memory of 3136	2784	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe	89
PID 3136 wrote to memory of 1500	3136	wintemp.exe	90
PID 3136 wrote to memory of 1500	3136	wintemp.exe	90
PID 3136 wrote to memory of 1500	3136	wintemp.exe	90
PID 1500 wrote to memory of 4776	1500	wintemp.exe	91
PID 1500 wrote to memory of 4776	1500	wintemp.exe	91
PID 1500 wrote to memory of 4776	1500	wintemp.exe	91
PID 4776 wrote to memory of 2860	4776	wintemp.exe	93
PID 4776 wrote to memory of 2860	4776	wintemp.exe	93
PID 4776 wrote to memory of 2860	4776	wintemp.exe	93
PID 2860 wrote to memory of 4920	2860	wintemp.exe	94
PID 2860 wrote to memory of 4920	2860	wintemp.exe	94
PID 2860 wrote to memory of 4920	2860	wintemp.exe	94
PID 4920 wrote to memory of 2692	4920	wintemp.exe	95
PID 4920 wrote to memory of 2692	4920	wintemp.exe	95
PID 4920 wrote to memory of 2692	4920	wintemp.exe	95
PID 2692 wrote to memory of 368	2692	wintemp.exe	96
PID 2692 wrote to memory of 368	2692	wintemp.exe	96
PID 2692 wrote to memory of 368	2692	wintemp.exe	96
PID 368 wrote to memory of 4220	368	wintemp.exe	97
PID 368 wrote to memory of 4220	368	wintemp.exe	97
PID 368 wrote to memory of 4220	368	wintemp.exe	97
PID 4220 wrote to memory of 2044	4220	wintemp.exe	99
PID 4220 wrote to memory of 2044	4220	wintemp.exe	99
PID 4220 wrote to memory of 2044	4220	wintemp.exe	99
PID 2044 wrote to memory of 4940	2044	wintemp.exe	100
PID 2044 wrote to memory of 4940	2044	wintemp.exe	100
PID 2044 wrote to memory of 4940	2044	wintemp.exe	100
PID 4940 wrote to memory of 4136	4940	wintemp.exe	101
PID 4940 wrote to memory of 4136	4940	wintemp.exe	101
PID 4940 wrote to memory of 4136	4940	wintemp.exe	101
PID 4136 wrote to memory of 800	4136	wintemp.exe	104
PID 4136 wrote to memory of 800	4136	wintemp.exe	104
PID 4136 wrote to memory of 800	4136	wintemp.exe	104
PID 800 wrote to memory of 1520	800	wintemp.exe	105
PID 800 wrote to memory of 1520	800	wintemp.exe	105
PID 800 wrote to memory of 1520	800	wintemp.exe	105
PID 1520 wrote to memory of 5048	1520	wintemp.exe	106
PID 1520 wrote to memory of 5048	1520	wintemp.exe	106
PID 1520 wrote to memory of 5048	1520	wintemp.exe	106
PID 5048 wrote to memory of 4424	5048	wintemp.exe	107
PID 5048 wrote to memory of 4424	5048	wintemp.exe	107
PID 5048 wrote to memory of 4424	5048	wintemp.exe	107
PID 4424 wrote to memory of 2300	4424	wintemp.exe	108
PID 4424 wrote to memory of 2300	4424	wintemp.exe	108
PID 4424 wrote to memory of 2300	4424	wintemp.exe	108
PID 2300 wrote to memory of 2592	2300	wintemp.exe	111
PID 2300 wrote to memory of 2592	2300	wintemp.exe	111
PID 2300 wrote to memory of 2592	2300	wintemp.exe	111
PID 2592 wrote to memory of 3064	2592	wintemp.exe	112
PID 2592 wrote to memory of 3064	2592	wintemp.exe	112
PID 2592 wrote to memory of 3064	2592	wintemp.exe	112
PID 3064 wrote to memory of 116	3064	wintemp.exe	113
PID 3064 wrote to memory of 116	3064	wintemp.exe	113
PID 3064 wrote to memory of 116	3064	wintemp.exe	113
PID 116 wrote to memory of 2232	116	wintemp.exe	114
PID 116 wrote to memory of 2232	116	wintemp.exe	114
PID 116 wrote to memory of 2232	116	wintemp.exe	114
PID 2232 wrote to memory of 1740	2232	wintemp.exe	115
PID 2232 wrote to memory of 1740	2232	wintemp.exe	115
PID 2232 wrote to memory of 1740	2232	wintemp.exe	115
PID 1740 wrote to memory of 4120	1740	wintemp.exe	116

C:\Users\Admin\AppData\Local\Temp\bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784
- C:\windows\SysWOW64\wintemp.exe
  "C:\windows\system32\wintemp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\windows\SysWOW64\wintemp.exe
    "C:\windows\system32\wintemp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\windows\SysWOW64\wintemp.exe
      "C:\windows\system32\wintemp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        25⤵
        Executes dropped EXE
        
        PID:532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        26⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        27⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        31⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2896
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        33⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        37⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3004
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        42⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        43⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4884
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        45⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        46⤵
        Executes dropped EXE
        
        PID:548
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        48⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3868
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        53⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        56⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        58⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        59⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4676
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        63⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        66⤵
        Checks computer location settings
        
        PID:3752
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        70⤵
        
        PID:4540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        71⤵
        
        PID:4548
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        72⤵
        Modifies registry class
        
        PID:4924
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        75⤵
        Checks computer location settings
        
        PID:1096
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        76⤵
        Drops file in System32 directory
        
        PID:1100
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        77⤵
        
        PID:2208
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        78⤵
        
        PID:3532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        80⤵
        Checks computer location settings
        
        PID:4392
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        81⤵
        
        PID:3356
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        83⤵
        Modifies registry class
        
        PID:2944
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        85⤵
        Drops file in System32 directory
        
        PID:1740
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        86⤵
        
        PID:5064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        87⤵
        Modifies registry class
        
        PID:4892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2492
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        89⤵
        
        PID:2996
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        90⤵
        Modifies registry class
        
        PID:3624
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        91⤵
        
        PID:3260
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        92⤵
        
        PID:3504
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        93⤵
        Checks computer location settings
        
        PID:4540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        94⤵
        Modifies registry class
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        95⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        96⤵
        
        PID:3216
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        97⤵
        
        PID:4496
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        98⤵
        Modifies registry class
        
        PID:1152
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        101⤵
        
        PID:448
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        102⤵
        Checks computer location settings
        
        PID:1720
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        103⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        104⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3332
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        105⤵
        
        PID:3068
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        107⤵
        
        PID:4772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        108⤵
        
        PID:1424
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        109⤵
        Modifies registry class
        
        PID:2988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        110⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        111⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        112⤵
        
        PID:4884
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        113⤵
        Checks computer location settings
        
        PID:856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        114⤵
        
        PID:532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        115⤵
        
        PID:4904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        118⤵
        Drops file in System32 directory
        
        PID:4048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        119⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        120⤵
        
        PID:3936
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        121⤵
        
        PID:208
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        122⤵
        Checks computer location settings
        
        PID:800
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        123⤵
        
        PID:4072
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        124⤵
        Modifies registry class
        
        PID:3324
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        126⤵
        Checks computer location settings
        
        PID:5048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        129⤵
        Checks computer location settings
        
        PID:4844
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        130⤵
        
        PID:1384
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        131⤵
        Checks computer location settings
        
        PID:2424
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3952
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        133⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        134⤵
        
        PID:1960
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        135⤵
        Drops file in System32 directory
        
        PID:2440
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        136⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        138⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        139⤵
        Modifies registry class
        
        PID:1668
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        140⤵
        Checks computer location settings
        
        PID:3420
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        141⤵
        
        PID:4456
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        142⤵
        
        PID:2088
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        144⤵
        
        PID:3048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        146⤵
        Checks computer location settings
        
        PID:4292
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        147⤵
        
        PID:4824
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        148⤵
        
        PID:3864
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        149⤵
        
        PID:1280
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        150⤵
        Checks computer location settings
        
        PID:3728
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        151⤵
        Modifies registry class
        
        PID:1860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        153⤵
        Checks computer location settings
        Modifies registry class
        
        PID:448
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        154⤵
        Checks computer location settings
        
        PID:2512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        155⤵
        
        PID:2600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        156⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        157⤵
        Modifies registry class
        
        PID:4832
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        158⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        159⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        160⤵
        Modifies registry class
        
        PID:3820
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        161⤵
        Checks computer location settings
        
        PID:3700
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        164⤵
        Modifies registry class
        
        PID:5088
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        165⤵
        Checks computer location settings
        
        PID:4248
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        166⤵
        Checks computer location settings
        
        PID:4908
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        168⤵
        
        PID:4884
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        169⤵
        
        PID:4892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        170⤵
        
        PID:2200
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        171⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        173⤵
        Checks computer location settings
        
        PID:4420
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        174⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        175⤵
        
        PID:4292
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        176⤵
        
        PID:4128
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        177⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        178⤵
        
        PID:1100
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        179⤵
        Modifies registry class
        
        PID:2208
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        182⤵
        
        PID:3068
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        183⤵
        
        PID:2232
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        184⤵
        
        PID:3700
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        185⤵
        
        PID:3360
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        186⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        187⤵
        
        PID:2972
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        188⤵
        
        PID:4248
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        189⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4024
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        190⤵
        Checks computer location settings
        
        PID:1764
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        191⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        192⤵
        Checks computer location settings
        
        PID:1888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        193⤵
        
        PID:1668
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        194⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        195⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        196⤵
        Checks computer location settings
        
        PID:2756
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        197⤵
        
        PID:4548
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        198⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        199⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        200⤵
        
        PID:1324
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        201⤵
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        202⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        203⤵
        
        PID:2180
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        205⤵
        
        PID:2664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        206⤵
        
        PID:3808
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        207⤵
        
        PID:1648
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        208⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        209⤵
        
        PID:3224
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        211⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        212⤵
        
        PID:1684
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        213⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        214⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        215⤵
        
        PID:1572
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        216⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        217⤵
        Drops file in System32 directory
        
        PID:4048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        218⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        219⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        220⤵
        
        PID:824
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        221⤵
        
        PID:1548
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        222⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        223⤵
        Modifies registry class
        
        PID:4760
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        224⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        225⤵
        
        PID:2180
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        226⤵
        
        PID:2872
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        227⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        228⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        229⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        230⤵
        Modifies registry class
        
        PID:3936
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        231⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        232⤵
        Checks computer location settings
        
        PID:1228
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        233⤵
        Drops file in System32 directory
        
        PID:3928
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        234⤵
        
        PID:3364
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        235⤵
        Checks computer location settings
        
        PID:3152
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        237⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        238⤵
        Modifies registry class
        
        PID:1764
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        239⤵
        
        PID:856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        240⤵
        
        PID:5024
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        241⤵
        Modifies registry class
        
        PID:4776
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        242⤵
        Modifies registry class
        
        PID:4172
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        243⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4224
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        244⤵
        Checks computer location settings
        
        PID:5116
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        245⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        246⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        247⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:180
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        249⤵
        Drops file in System32 directory
        
        PID:4972
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        251⤵
        
        PID:3484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        252⤵
        
        PID:4652
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        253⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        254⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        255⤵
        Drops file in System32 directory
        
        PID:3060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        256⤵
        
        PID:4484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        258⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        259⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        261⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        262⤵
        
        PID:4908
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        263⤵
        
        PID:2728
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        264⤵
        
        PID:2256
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        265⤵
        
        PID:4544
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        266⤵
        Checks computer location settings
        
        PID:2288
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        267⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        268⤵
        
        PID:2200
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        270⤵
        
        PID:2088
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        271⤵
        
        PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wintemp.exe

Filesize
28KB

MD5
bf38333a1243cf12ea3216cc2f07bd24

SHA1
53c8653bc4cf317b3d8c1cdbd9aa6a65b8bdc308

SHA256
27f10960594dc8b1c59001087b6027c19a583bea16ce4cac19efa71ed0b2e548

SHA512
84ba45f4fefc3bc70cf470c11a93ddf1613df5aa1562bd808020b916c9ced96bcfd45a67ad78fcf7c986686586a1cc19e49ad44977d4ed06a229350248818c11

Download Submit
memory/116-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/220-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/368-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/460-126-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/460-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/464-116-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/532-81-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/548-110-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/652-119-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/800-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/856-111-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1064-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1240-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1500-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1520-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1612-85-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1740-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2044-50-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2180-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2300-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2304-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2692-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2860-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2864-100-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2896-95-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-93-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2960-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3004-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3060-117-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3064-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3136-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3212-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3324-122-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3484-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3532-99-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3564-121-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3716-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3716-118-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3868-114-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3928-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4120-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4136-54-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4184-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4220-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4308-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4424-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4448-106-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4456-112-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4532-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4676-125-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4776-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4884-108-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4892-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4904-113-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4920-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4920-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4940-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5048-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download