metasploit | bb957cba14b716765fffb1aa49b12f7d4b98f296cbabca7e499c57f4d8ed5a16

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
Size

168KB
MD5

f0806d11956287ed5faa36ef7c4cfcfc
SHA1

3986789e5be5e5bec6668a7270cba2f1323f701f
SHA256

bb957cba14b716765fffb1aa49b12f7d4b98f296cbabca7e499c57f4d8ed5a16
SHA512

980c89a08715855b7a630a2b189b75d3837f3549841b2e2e8c540ef3fb79a9331239482383049aea36799a1a14cd9cf7a7eb3360dcc4aface14e5f0429b3bad4
SSDEEP

3072:tU7bCtMPU4dBMOioVb+B46Fl9B0ZDxQ5Mh86LshfdWrwvS0dC80Xl:ERdWOi3BdgZDW5Mh8qsXEw63l

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 45 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wnpxk2.exe

Deletes itself 1 IoCs

pid	Process
1104	wnpxk2.exe

Executes dropped EXE 64 IoCs

pid	Process
1864	wnpxk2.exe
1104	wnpxk2.exe
3460	wnpxk2.exe
1028	wnpxk2.exe
4780	wnpxk2.exe
2648	wnpxk2.exe
1520	wnpxk2.exe
1996	wnpxk2.exe
2528	wnpxk2.exe
1420	wnpxk2.exe
4108	wnpxk2.exe
2880	wnpxk2.exe
4416	wnpxk2.exe
3096	wnpxk2.exe
2824	wnpxk2.exe
2912	wnpxk2.exe
3564	wnpxk2.exe
2116	wnpxk2.exe
1412	wnpxk2.exe
3968	wnpxk2.exe
4032	wnpxk2.exe
4720	wnpxk2.exe
312	wnpxk2.exe
1460	wnpxk2.exe
2204	wnpxk2.exe
776	wnpxk2.exe
4728	wnpxk2.exe
2728	wnpxk2.exe
4800	wnpxk2.exe
3224	wnpxk2.exe
2596	wnpxk2.exe
4736	wnpxk2.exe
1300	wnpxk2.exe
4924	wnpxk2.exe
2508	wnpxk2.exe
3956	wnpxk2.exe
2540	wnpxk2.exe
704	wnpxk2.exe
4372	wnpxk2.exe
2848	wnpxk2.exe
4444	wnpxk2.exe
2872	wnpxk2.exe
2552	wnpxk2.exe
4860	wnpxk2.exe
1820	wnpxk2.exe
4828	wnpxk2.exe
4928	wnpxk2.exe
4380	wnpxk2.exe
3352	wnpxk2.exe
4388	wnpxk2.exe
3148	wnpxk2.exe
536	wnpxk2.exe
880	wnpxk2.exe
3892	wnpxk2.exe
4504	wnpxk2.exe
4164	wnpxk2.exe
4136	wnpxk2.exe
1336	wnpxk2.exe
1364	wnpxk2.exe
4172	wnpxk2.exe
2436	wnpxk2.exe
3132	wnpxk2.exe
2612	wnpxk2.exe
1952	wnpxk2.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3052-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3052-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3052-4-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3052-3-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3052-40-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1104-44-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1104-46-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1104-45-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1104-48-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1028-52-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1028-53-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1028-55-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2648-60-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2648-61-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2648-59-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2648-62-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1996-68-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1996-69-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1996-71-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1420-77-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1420-79-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2880-85-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2880-87-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3096-94-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2912-99-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2912-103-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2116-109-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2116-111-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3968-117-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3968-119-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4720-126-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1460-135-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/776-140-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/776-144-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2728-152-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3224-155-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3224-159-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4736-164-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4736-168-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4924-173-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4924-177-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3956-182-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3956-186-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/704-191-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/704-195-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2848-199-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2848-204-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2872-213-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4860-218-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4860-222-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4828-228-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4380-234-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4388-238-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4388-241-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/536-247-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3892-253-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4164-259-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1336-265-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4172-271-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/3132-277-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1952-283-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1088-286-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/1088-290-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/2212-296-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wnpxk2.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File created	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe
File opened for modification	C:\Windows\SysWOW64\wnpxk2.exe	wnpxk2.exe

Suspicious use of SetThreadContext 46 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 1864 set thread context of 1104	1864	wnpxk2.exe	84
PID 3460 set thread context of 1028	3460	wnpxk2.exe	91
PID 4780 set thread context of 2648	4780	wnpxk2.exe	94
PID 1520 set thread context of 1996	1520	wnpxk2.exe	98
PID 2528 set thread context of 1420	2528	wnpxk2.exe	100
PID 4108 set thread context of 2880	4108	wnpxk2.exe	102
PID 4416 set thread context of 3096	4416	wnpxk2.exe	104
PID 2824 set thread context of 2912	2824	wnpxk2.exe	106
PID 3564 set thread context of 2116	3564	wnpxk2.exe	108
PID 1412 set thread context of 3968	1412	wnpxk2.exe	111
PID 4032 set thread context of 4720	4032	wnpxk2.exe	114
PID 312 set thread context of 1460	312	wnpxk2.exe	116
PID 2204 set thread context of 776	2204	wnpxk2.exe	118
PID 4728 set thread context of 2728	4728	wnpxk2.exe	120
PID 4800 set thread context of 3224	4800	wnpxk2.exe	122
PID 2596 set thread context of 4736	2596	wnpxk2.exe	124
PID 1300 set thread context of 4924	1300	wnpxk2.exe	126
PID 2508 set thread context of 3956	2508	wnpxk2.exe	128
PID 2540 set thread context of 704	2540	wnpxk2.exe	130
PID 4372 set thread context of 2848	4372	wnpxk2.exe	132
PID 4444 set thread context of 2872	4444	wnpxk2.exe	134
PID 2552 set thread context of 4860	2552	wnpxk2.exe	136
PID 1820 set thread context of 4828	1820	wnpxk2.exe	138
PID 4928 set thread context of 4380	4928	wnpxk2.exe	140
PID 3352 set thread context of 4388	3352	wnpxk2.exe	142
PID 3148 set thread context of 536	3148	wnpxk2.exe	144
PID 880 set thread context of 3892	880	wnpxk2.exe	146
PID 4504 set thread context of 4164	4504	wnpxk2.exe	148
PID 4136 set thread context of 1336	4136	wnpxk2.exe	150
PID 1364 set thread context of 4172	1364	wnpxk2.exe	152
PID 2436 set thread context of 3132	2436	wnpxk2.exe	154
PID 2612 set thread context of 1952	2612	wnpxk2.exe	156
PID 3376 set thread context of 1088	3376	wnpxk2.exe	158
PID 1776 set thread context of 2212	1776	wnpxk2.exe	160
PID 3484 set thread context of 4156	3484	wnpxk2.exe	162
PID 4936 set thread context of 4744	4936	wnpxk2.exe	164
PID 1688 set thread context of 4236	1688	wnpxk2.exe	166
PID 1464 set thread context of 1384	1464	wnpxk2.exe	168
PID 1108 set thread context of 2572	1108	wnpxk2.exe	170
PID 1064 set thread context of 4776	1064	wnpxk2.exe	172
PID 4900 set thread context of 2284	4900	wnpxk2.exe	174
PID 5092 set thread context of 5024	5092	wnpxk2.exe	176
PID 2240 set thread context of 4664	2240	wnpxk2.exe	178
PID 3672 set thread context of 220	3672	wnpxk2.exe	180
PID 3400 set thread context of 1052	3400	wnpxk2.exe	182

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnpxk2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wnpxk2.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wnpxk2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
3052	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
1104	wnpxk2.exe
1104	wnpxk2.exe
1028	wnpxk2.exe
1028	wnpxk2.exe
2648	wnpxk2.exe
2648	wnpxk2.exe
1996	wnpxk2.exe
1996	wnpxk2.exe
1420	wnpxk2.exe
1420	wnpxk2.exe
2880	wnpxk2.exe
2880	wnpxk2.exe
3096	wnpxk2.exe
3096	wnpxk2.exe
2912	wnpxk2.exe
2912	wnpxk2.exe
2116	wnpxk2.exe
2116	wnpxk2.exe
3968	wnpxk2.exe
3968	wnpxk2.exe
4720	wnpxk2.exe
4720	wnpxk2.exe
1460	wnpxk2.exe
1460	wnpxk2.exe
776	wnpxk2.exe
776	wnpxk2.exe
2728	wnpxk2.exe
2728	wnpxk2.exe
4736	wnpxk2.exe
4736	wnpxk2.exe
4924	wnpxk2.exe
4924	wnpxk2.exe
3956	wnpxk2.exe
3956	wnpxk2.exe
704	wnpxk2.exe
704	wnpxk2.exe
2848	wnpxk2.exe
2848	wnpxk2.exe
2872	wnpxk2.exe
2872	wnpxk2.exe
4860	wnpxk2.exe
4860	wnpxk2.exe
4828	wnpxk2.exe
4828	wnpxk2.exe
4380	wnpxk2.exe
4380	wnpxk2.exe
4388	wnpxk2.exe
4388	wnpxk2.exe
536	wnpxk2.exe
536	wnpxk2.exe
3892	wnpxk2.exe
3892	wnpxk2.exe
4164	wnpxk2.exe
4164	wnpxk2.exe
1336	wnpxk2.exe
1336	wnpxk2.exe
4172	wnpxk2.exe
4172	wnpxk2.exe
3132	wnpxk2.exe
3132	wnpxk2.exe
1952	wnpxk2.exe
1952	wnpxk2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 220 wrote to memory of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 220 wrote to memory of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 220 wrote to memory of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 220 wrote to memory of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 220 wrote to memory of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 220 wrote to memory of 3052	220	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	82
PID 3052 wrote to memory of 1864	3052	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	83
PID 3052 wrote to memory of 1864	3052	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	83
PID 3052 wrote to memory of 1864	3052	f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe	83
PID 1864 wrote to memory of 1104	1864	wnpxk2.exe	84
PID 1864 wrote to memory of 1104	1864	wnpxk2.exe	84
PID 1864 wrote to memory of 1104	1864	wnpxk2.exe	84
PID 1864 wrote to memory of 1104	1864	wnpxk2.exe	84
PID 1864 wrote to memory of 1104	1864	wnpxk2.exe	84
PID 1864 wrote to memory of 1104	1864	wnpxk2.exe	84
PID 1864 wrote to memory of 1104	1864	wnpxk2.exe	84
PID 1104 wrote to memory of 3460	1104	wnpxk2.exe	90
PID 1104 wrote to memory of 3460	1104	wnpxk2.exe	90
PID 1104 wrote to memory of 3460	1104	wnpxk2.exe	90
PID 3460 wrote to memory of 1028	3460	wnpxk2.exe	91
PID 3460 wrote to memory of 1028	3460	wnpxk2.exe	91
PID 3460 wrote to memory of 1028	3460	wnpxk2.exe	91
PID 3460 wrote to memory of 1028	3460	wnpxk2.exe	91
PID 3460 wrote to memory of 1028	3460	wnpxk2.exe	91
PID 3460 wrote to memory of 1028	3460	wnpxk2.exe	91
PID 3460 wrote to memory of 1028	3460	wnpxk2.exe	91
PID 1028 wrote to memory of 4780	1028	wnpxk2.exe	93
PID 1028 wrote to memory of 4780	1028	wnpxk2.exe	93
PID 1028 wrote to memory of 4780	1028	wnpxk2.exe	93
PID 4780 wrote to memory of 2648	4780	wnpxk2.exe	94
PID 4780 wrote to memory of 2648	4780	wnpxk2.exe	94
PID 4780 wrote to memory of 2648	4780	wnpxk2.exe	94
PID 4780 wrote to memory of 2648	4780	wnpxk2.exe	94
PID 4780 wrote to memory of 2648	4780	wnpxk2.exe	94
PID 4780 wrote to memory of 2648	4780	wnpxk2.exe	94
PID 4780 wrote to memory of 2648	4780	wnpxk2.exe	94
PID 2648 wrote to memory of 1520	2648	wnpxk2.exe	97
PID 2648 wrote to memory of 1520	2648	wnpxk2.exe	97
PID 2648 wrote to memory of 1520	2648	wnpxk2.exe	97
PID 1520 wrote to memory of 1996	1520	wnpxk2.exe	98
PID 1520 wrote to memory of 1996	1520	wnpxk2.exe	98
PID 1520 wrote to memory of 1996	1520	wnpxk2.exe	98
PID 1520 wrote to memory of 1996	1520	wnpxk2.exe	98
PID 1520 wrote to memory of 1996	1520	wnpxk2.exe	98
PID 1520 wrote to memory of 1996	1520	wnpxk2.exe	98
PID 1520 wrote to memory of 1996	1520	wnpxk2.exe	98
PID 1996 wrote to memory of 2528	1996	wnpxk2.exe	99
PID 1996 wrote to memory of 2528	1996	wnpxk2.exe	99
PID 1996 wrote to memory of 2528	1996	wnpxk2.exe	99
PID 2528 wrote to memory of 1420	2528	wnpxk2.exe	100
PID 2528 wrote to memory of 1420	2528	wnpxk2.exe	100
PID 2528 wrote to memory of 1420	2528	wnpxk2.exe	100
PID 2528 wrote to memory of 1420	2528	wnpxk2.exe	100
PID 2528 wrote to memory of 1420	2528	wnpxk2.exe	100
PID 2528 wrote to memory of 1420	2528	wnpxk2.exe	100
PID 2528 wrote to memory of 1420	2528	wnpxk2.exe	100
PID 1420 wrote to memory of 4108	1420	wnpxk2.exe	101
PID 1420 wrote to memory of 4108	1420	wnpxk2.exe	101
PID 1420 wrote to memory of 4108	1420	wnpxk2.exe	101
PID 4108 wrote to memory of 2880	4108	wnpxk2.exe	102
PID 4108 wrote to memory of 2880	4108	wnpxk2.exe	102
PID 4108 wrote to memory of 2880	4108	wnpxk2.exe	102
PID 4108 wrote to memory of 2880	4108	wnpxk2.exe	102

C:\Users\Admin\AppData\Local\Temp\f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f0806d11956287ed5faa36ef7c4cfcfc_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\wnpxk2.exe
    "C:\Windows\system32\wnpxk2.exe" C:\Users\Admin\AppData\Local\Temp\F0806D~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\wnpxk2.exe
      "C:\Windows\system32\wnpxk2.exe" C:\Users\Admin\AppData\Local\Temp\F0806D~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3096
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3968
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4720
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1460
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4736
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4924
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3956
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4860
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4828
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4380
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:536
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3892
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4164
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1336
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4172
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3132
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        69⤵
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        84⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        86⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        88⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        89⤵
        Suspicious use of SetThreadContext
        
        PID:3672
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        90⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\wnpxk2.exe
        
        "C:\Windows\system32\wnpxk2.exe" C:\Windows\SysWOW64\wnpxk2.exe
        92⤵
        
        PID:1052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wnpxk2.exe

Filesize
168KB

MD5
f0806d11956287ed5faa36ef7c4cfcfc

SHA1
3986789e5be5e5bec6668a7270cba2f1323f701f

SHA256
bb957cba14b716765fffb1aa49b12f7d4b98f296cbabca7e499c57f4d8ed5a16

SHA512
980c89a08715855b7a630a2b189b75d3837f3549841b2e2e8c540ef3fb79a9331239482383049aea36799a1a14cd9cf7a7eb3360dcc4aface14e5f0429b3bad4

Download Submit
memory/220-357-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/536-247-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/704-195-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/704-191-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/776-144-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/776-140-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-52-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-53-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1028-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1088-286-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1088-290-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1104-46-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1104-45-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1104-48-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1104-44-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1336-265-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1384-320-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1420-77-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1420-79-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1460-135-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1952-283-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1996-69-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1996-71-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1996-68-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2116-109-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2116-111-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2212-296-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2284-339-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2572-323-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2572-327-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2648-62-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2648-60-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2648-61-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2648-59-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2728-152-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-199-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-204-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2872-213-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2880-87-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2880-85-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2912-103-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2912-99-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3052-40-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3052-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3052-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3052-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3052-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3096-94-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3132-277-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3224-159-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3224-155-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3892-253-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3956-186-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3956-182-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3968-117-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3968-119-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4156-302-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4164-259-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4172-271-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4236-314-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4380-234-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4388-241-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4388-238-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4664-351-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4720-126-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4736-168-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4736-164-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4744-308-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4776-333-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4828-228-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4860-222-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4860-218-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4924-173-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4924-177-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5024-345-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download