metasploit | e19a27753b1bbb06c11ee8f10d4fa64e872ddbe687cff591b249b75de9b005d8

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

925bb25233da281843c47b4518d0250d_JaffaCakes118.exe
Size

119KB
MD5

925bb25233da281843c47b4518d0250d
SHA1

8b1c9a4554b15fb23bf2c1ed5db212b78507e832
SHA256

e19a27753b1bbb06c11ee8f10d4fa64e872ddbe687cff591b249b75de9b005d8
SHA512

abd509099e815b76b0ba551138b49d9be7997cbaa7d219f22ace67d4203f97e0c43b0456c8c8929aa5f0f581d219369a99e7ff9a85db00ec47bce22f2acb2b09
SSDEEP

3072:iFJnmsxmJFVZDZFYFCrqhkKJXHS+W8DTpvgYSfout:SJjmJHZnGCrqCKJM8x4YSfoS

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
320	wmisrvc.exe

Executes dropped EXE 64 IoCs

pid	Process
320	wmisrvc.exe
2788	wmisrvc.exe
2740	wmisrvc.exe
2716	wmisrvc.exe
2632	wmisrvc.exe
2532	wmisrvc.exe
2560	wmisrvc.exe
1268	wmisrvc.exe
1148	wmisrvc.exe
2988	wmisrvc.exe
2232	wmisrvc.exe
1096	wmisrvc.exe
1940	wmisrvc.exe
1288	wmisrvc.exe
1956	wmisrvc.exe
1532	wmisrvc.exe
1484	wmisrvc.exe
1480	wmisrvc.exe
2016	wmisrvc.exe
792	wmisrvc.exe
2104	wmisrvc.exe
2720	wmisrvc.exe
2736	wmisrvc.exe
2816	wmisrvc.exe
2796	wmisrvc.exe
2604	wmisrvc.exe
1508	wmisrvc.exe
2896	wmisrvc.exe
2940	wmisrvc.exe
2892	wmisrvc.exe
2960	wmisrvc.exe
2948	wmisrvc.exe
1984	wmisrvc.exe
1608	wmisrvc.exe
2252	wmisrvc.exe
2184	wmisrvc.exe
1244	wmisrvc.exe
1072	wmisrvc.exe
2432	wmisrvc.exe
1332	wmisrvc.exe
1760	wmisrvc.exe
712	wmisrvc.exe
1532	wmisrvc.exe
2656	wmisrvc.exe
2424	wmisrvc.exe
1712	wmisrvc.exe
2240	wmisrvc.exe
2784	wmisrvc.exe
2732	wmisrvc.exe
2852	wmisrvc.exe
2816	wmisrvc.exe
1944	wmisrvc.exe
2716	wmisrvc.exe
2632	wmisrvc.exe
1788	wmisrvc.exe
1736	wmisrvc.exe
1580	wmisrvc.exe
1224	wmisrvc.exe
2140	wmisrvc.exe
2952	wmisrvc.exe
2124	wmisrvc.exe
2252	wmisrvc.exe
1520	wmisrvc.exe
1096	wmisrvc.exe

Loads dropped DLL 64 IoCs

pid	Process
2348	925bb25233da281843c47b4518d0250d_JaffaCakes118.exe
2348	925bb25233da281843c47b4518d0250d_JaffaCakes118.exe
320	wmisrvc.exe
320	wmisrvc.exe
2788	wmisrvc.exe
2788	wmisrvc.exe
2740	wmisrvc.exe
2740	wmisrvc.exe
2716	wmisrvc.exe
2716	wmisrvc.exe
2632	wmisrvc.exe
2632	wmisrvc.exe
2532	wmisrvc.exe
2532	wmisrvc.exe
2560	wmisrvc.exe
2560	wmisrvc.exe
1268	wmisrvc.exe
1268	wmisrvc.exe
1148	wmisrvc.exe
1148	wmisrvc.exe
2988	wmisrvc.exe
2988	wmisrvc.exe
2232	wmisrvc.exe
2232	wmisrvc.exe
1096	wmisrvc.exe
1096	wmisrvc.exe
1940	wmisrvc.exe
1940	wmisrvc.exe
1288	wmisrvc.exe
1288	wmisrvc.exe
1956	wmisrvc.exe
1956	wmisrvc.exe
1532	wmisrvc.exe
1532	wmisrvc.exe
1484	wmisrvc.exe
1484	wmisrvc.exe
1480	wmisrvc.exe
1480	wmisrvc.exe
2016	wmisrvc.exe
2016	wmisrvc.exe
792	wmisrvc.exe
792	wmisrvc.exe
2104	wmisrvc.exe
2104	wmisrvc.exe
2720	wmisrvc.exe
2720	wmisrvc.exe
2736	wmisrvc.exe
2736	wmisrvc.exe
2816	wmisrvc.exe
2816	wmisrvc.exe
2796	wmisrvc.exe
2796	wmisrvc.exe
2604	wmisrvc.exe
2604	wmisrvc.exe
1508	wmisrvc.exe
1508	wmisrvc.exe
2896	wmisrvc.exe
2896	wmisrvc.exe
2940	wmisrvc.exe
2940	wmisrvc.exe
2892	wmisrvc.exe
2892	wmisrvc.exe
2960	wmisrvc.exe
2960	wmisrvc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File opened for modification	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe
File created	C:\Windows\SysWOW64\wmisrvc.exe	wmisrvc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-0-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/files/0x0009000000016311-4.dat	upx
behavioral1/memory/2348-13-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/320-19-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2788-26-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2716-31-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2740-33-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2716-41-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2716-37-0x0000000003170000-0x00000000031CC000-memory.dmp	upx
behavioral1/memory/2632-46-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2532-47-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2532-53-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2560-56-0x0000000003320000-0x000000000337C000-memory.dmp	upx
behavioral1/memory/2560-59-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1268-65-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1148-66-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1148-72-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2232-80-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2988-79-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1096-85-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2232-87-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1096-94-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1940-95-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1940-101-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1956-108-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1288-107-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1956-115-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1532-122-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1484-127-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1480-130-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2016-134-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2104-137-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/792-138-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2104-141-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2720-143-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2736-146-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2816-150-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2816-148-0x0000000003320000-0x000000000337C000-memory.dmp	upx
behavioral1/memory/2796-154-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2604-156-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1508-160-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2896-162-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2940-166-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2940-163-0x0000000003580000-0x00000000035DC000-memory.dmp	upx
behavioral1/memory/2892-169-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2948-171-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2960-170-0x0000000002F80000-0x0000000002FDC000-memory.dmp	upx
behavioral1/memory/2960-173-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2948-175-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1984-177-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1608-178-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2252-180-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2184-182-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1072-184-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1244-186-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1072-188-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2432-191-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2432-189-0x00000000031C0000-0x000000000321C000-memory.dmp	upx
behavioral1/memory/1332-193-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1760-194-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1760-196-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/712-197-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1532-198-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1332-199-0x00000000030C0000-0x000000000311C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisrvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	925bb25233da281843c47b4518d0250d_JaffaCakes118.exe
320	wmisrvc.exe
2788	wmisrvc.exe
2740	wmisrvc.exe
2716	wmisrvc.exe
2632	wmisrvc.exe
2532	wmisrvc.exe
2560	wmisrvc.exe
1268	wmisrvc.exe
1148	wmisrvc.exe
2988	wmisrvc.exe
2232	wmisrvc.exe
1096	wmisrvc.exe
1940	wmisrvc.exe
1288	wmisrvc.exe
1956	wmisrvc.exe
1532	wmisrvc.exe
1484	wmisrvc.exe
1480	wmisrvc.exe
2016	wmisrvc.exe
792	wmisrvc.exe
2104	wmisrvc.exe
2720	wmisrvc.exe
2736	wmisrvc.exe
2816	wmisrvc.exe
2796	wmisrvc.exe
2604	wmisrvc.exe
1508	wmisrvc.exe
2896	wmisrvc.exe
2940	wmisrvc.exe
2892	wmisrvc.exe
2960	wmisrvc.exe
2948	wmisrvc.exe
1984	wmisrvc.exe
1608	wmisrvc.exe
2252	wmisrvc.exe
2184	wmisrvc.exe
1244	wmisrvc.exe
1072	wmisrvc.exe
2432	wmisrvc.exe
1332	wmisrvc.exe
1760	wmisrvc.exe
712	wmisrvc.exe
1532	wmisrvc.exe
2656	wmisrvc.exe
1712	wmisrvc.exe
2240	wmisrvc.exe
2784	wmisrvc.exe
2732	wmisrvc.exe
2852	wmisrvc.exe
2816	wmisrvc.exe
1944	wmisrvc.exe
2716	wmisrvc.exe
2632	wmisrvc.exe
1788	wmisrvc.exe
1736	wmisrvc.exe
1580	wmisrvc.exe
1224	wmisrvc.exe
2140	wmisrvc.exe
2952	wmisrvc.exe
2124	wmisrvc.exe
2252	wmisrvc.exe
1520	wmisrvc.exe
1096	wmisrvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 320	2348	925bb25233da281843c47b4518d0250d_JaffaCakes118.exe	32
PID 2348 wrote to memory of 320	2348	925bb25233da281843c47b4518d0250d_JaffaCakes118.exe	32
PID 2348 wrote to memory of 320	2348	925bb25233da281843c47b4518d0250d_JaffaCakes118.exe	32
PID 2348 wrote to memory of 320	2348	925bb25233da281843c47b4518d0250d_JaffaCakes118.exe	32
PID 320 wrote to memory of 2788	320	wmisrvc.exe	33
PID 320 wrote to memory of 2788	320	wmisrvc.exe	33
PID 320 wrote to memory of 2788	320	wmisrvc.exe	33
PID 320 wrote to memory of 2788	320	wmisrvc.exe	33
PID 2788 wrote to memory of 2740	2788	wmisrvc.exe	34
PID 2788 wrote to memory of 2740	2788	wmisrvc.exe	34
PID 2788 wrote to memory of 2740	2788	wmisrvc.exe	34
PID 2788 wrote to memory of 2740	2788	wmisrvc.exe	34
PID 2740 wrote to memory of 2716	2740	wmisrvc.exe	35
PID 2740 wrote to memory of 2716	2740	wmisrvc.exe	35
PID 2740 wrote to memory of 2716	2740	wmisrvc.exe	35
PID 2740 wrote to memory of 2716	2740	wmisrvc.exe	35
PID 2716 wrote to memory of 2632	2716	wmisrvc.exe	36
PID 2716 wrote to memory of 2632	2716	wmisrvc.exe	36
PID 2716 wrote to memory of 2632	2716	wmisrvc.exe	36
PID 2716 wrote to memory of 2632	2716	wmisrvc.exe	36
PID 2632 wrote to memory of 2532	2632	wmisrvc.exe	37
PID 2632 wrote to memory of 2532	2632	wmisrvc.exe	37
PID 2632 wrote to memory of 2532	2632	wmisrvc.exe	37
PID 2632 wrote to memory of 2532	2632	wmisrvc.exe	37
PID 2532 wrote to memory of 2560	2532	wmisrvc.exe	38
PID 2532 wrote to memory of 2560	2532	wmisrvc.exe	38
PID 2532 wrote to memory of 2560	2532	wmisrvc.exe	38
PID 2532 wrote to memory of 2560	2532	wmisrvc.exe	38
PID 2560 wrote to memory of 1268	2560	wmisrvc.exe	39
PID 2560 wrote to memory of 1268	2560	wmisrvc.exe	39
PID 2560 wrote to memory of 1268	2560	wmisrvc.exe	39
PID 2560 wrote to memory of 1268	2560	wmisrvc.exe	39
PID 1268 wrote to memory of 1148	1268	wmisrvc.exe	40
PID 1268 wrote to memory of 1148	1268	wmisrvc.exe	40
PID 1268 wrote to memory of 1148	1268	wmisrvc.exe	40
PID 1268 wrote to memory of 1148	1268	wmisrvc.exe	40
PID 1148 wrote to memory of 2988	1148	wmisrvc.exe	41
PID 1148 wrote to memory of 2988	1148	wmisrvc.exe	41
PID 1148 wrote to memory of 2988	1148	wmisrvc.exe	41
PID 1148 wrote to memory of 2988	1148	wmisrvc.exe	41
PID 2988 wrote to memory of 2232	2988	wmisrvc.exe	42
PID 2988 wrote to memory of 2232	2988	wmisrvc.exe	42
PID 2988 wrote to memory of 2232	2988	wmisrvc.exe	42
PID 2988 wrote to memory of 2232	2988	wmisrvc.exe	42
PID 2232 wrote to memory of 1096	2232	wmisrvc.exe	43
PID 2232 wrote to memory of 1096	2232	wmisrvc.exe	43
PID 2232 wrote to memory of 1096	2232	wmisrvc.exe	43
PID 2232 wrote to memory of 1096	2232	wmisrvc.exe	43
PID 1096 wrote to memory of 1940	1096	wmisrvc.exe	44
PID 1096 wrote to memory of 1940	1096	wmisrvc.exe	44
PID 1096 wrote to memory of 1940	1096	wmisrvc.exe	44
PID 1096 wrote to memory of 1940	1096	wmisrvc.exe	44
PID 1940 wrote to memory of 1288	1940	wmisrvc.exe	45
PID 1940 wrote to memory of 1288	1940	wmisrvc.exe	45
PID 1940 wrote to memory of 1288	1940	wmisrvc.exe	45
PID 1940 wrote to memory of 1288	1940	wmisrvc.exe	45
PID 1288 wrote to memory of 1956	1288	wmisrvc.exe	46
PID 1288 wrote to memory of 1956	1288	wmisrvc.exe	46
PID 1288 wrote to memory of 1956	1288	wmisrvc.exe	46
PID 1288 wrote to memory of 1956	1288	wmisrvc.exe	46
PID 1956 wrote to memory of 1532	1956	wmisrvc.exe	47
PID 1956 wrote to memory of 1532	1956	wmisrvc.exe	47
PID 1956 wrote to memory of 1532	1956	wmisrvc.exe	47
PID 1956 wrote to memory of 1532	1956	wmisrvc.exe	47

C:\Users\Admin\AppData\Local\Temp\925bb25233da281843c47b4518d0250d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\925bb25233da281843c47b4518d0250d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\wmisrvc.exe
  "C:\Windows\system32\wmisrvc.exe" C:\Users\Admin\AppData\Local\Temp\925BB2~1.EXE
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\wmisrvc.exe
    "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\wmisrvc.exe
      "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1072
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1760
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:712
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        56⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1224
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        62⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        67⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        68⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        69⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        72⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        76⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        82⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        83⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        84⤵
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        88⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        89⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        92⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        95⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        96⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        100⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        105⤵
        
        PID:796
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        106⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        107⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        111⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        112⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\wmisrvc.exe
        
        "C:\Windows\system32\wmisrvc.exe" C:\Windows\SysWOW64\wmisrvc.exe
        113⤵
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmisrvc.exe

Filesize
119KB

MD5
925bb25233da281843c47b4518d0250d

SHA1
8b1c9a4554b15fb23bf2c1ed5db212b78507e832

SHA256
e19a27753b1bbb06c11ee8f10d4fa64e872ddbe687cff591b249b75de9b005d8

SHA512
abd509099e815b76b0ba551138b49d9be7997cbaa7d219f22ace67d4203f97e0c43b0456c8c8929aa5f0f581d219369a99e7ff9a85db00ec47bce22f2acb2b09

Download Submit
memory/320-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/712-202-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/712-197-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/792-135-0x0000000002F90000-0x0000000002FEC000-memory.dmp

Filesize
368KB

Download
memory/792-138-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/792-136-0x0000000002F90000-0x0000000002FEC000-memory.dmp

Filesize
368KB

Download
memory/1072-184-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1072-188-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1096-94-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1096-85-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1096-89-0x00000000031D0000-0x000000000322C000-memory.dmp

Filesize
368KB

Download
memory/1096-91-0x00000000031D0000-0x000000000322C000-memory.dmp

Filesize
368KB

Download
memory/1148-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1148-66-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1148-69-0x00000000033E0000-0x000000000343C000-memory.dmp

Filesize
368KB

Download
memory/1224-244-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1244-183-0x0000000003260000-0x00000000032BC000-memory.dmp

Filesize
368KB

Download
memory/1244-186-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1268-65-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1268-63-0x00000000031D0000-0x000000000322C000-memory.dmp

Filesize
368KB

Download
memory/1288-107-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1288-104-0x00000000030C0000-0x000000000311C000-memory.dmp

Filesize
368KB

Download
memory/1332-199-0x00000000030C0000-0x000000000311C000-memory.dmp

Filesize
368KB

Download
memory/1332-193-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1480-128-0x0000000003110000-0x000000000316C000-memory.dmp

Filesize
368KB

Download
memory/1480-130-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1484-124-0x0000000003160000-0x00000000031BC000-memory.dmp

Filesize
368KB

Download
memory/1484-127-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1484-125-0x0000000003160000-0x00000000031BC000-memory.dmp

Filesize
368KB

Download
memory/1508-160-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1508-158-0x0000000003120000-0x000000000317C000-memory.dmp

Filesize
368KB

Download
memory/1508-157-0x0000000003120000-0x000000000317C000-memory.dmp

Filesize
368KB

Download
memory/1532-198-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1532-119-0x0000000003130000-0x000000000318C000-memory.dmp

Filesize
368KB

Download
memory/1532-201-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1532-122-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1532-118-0x0000000003130000-0x000000000318C000-memory.dmp

Filesize
368KB

Download
memory/1608-178-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1736-239-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1760-194-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1760-196-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1788-235-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1940-98-0x0000000002FC0000-0x000000000301C000-memory.dmp

Filesize
368KB

Download
memory/1940-95-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1940-101-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1956-115-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1956-108-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1956-112-0x00000000031A0000-0x00000000031FC000-memory.dmp

Filesize
368KB

Download
memory/1984-177-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2016-132-0x0000000003230000-0x000000000328C000-memory.dmp

Filesize
368KB

Download
memory/2016-134-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2016-131-0x0000000003230000-0x000000000328C000-memory.dmp

Filesize
368KB

Download
memory/2104-141-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2104-137-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2104-139-0x00000000030D0000-0x000000000312C000-memory.dmp

Filesize
368KB

Download
memory/2184-182-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2232-80-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2232-83-0x0000000003340000-0x000000000339C000-memory.dmp

Filesize
368KB

Download
memory/2232-87-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2252-180-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2348-10-0x0000000003160000-0x00000000031BC000-memory.dmp

Filesize
368KB

Download
memory/2348-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2348-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2424-210-0x0000000074E60000-0x0000000074E87000-memory.dmp

Filesize
156KB

Download
memory/2424-209-0x00000000021C0000-0x00000000022B5000-memory.dmp

Filesize
980KB

Download
memory/2424-211-0x0000000002B90000-0x00000000037DA000-memory.dmp

Filesize
12.3MB

Download
memory/2424-208-0x00000000777E0000-0x00000000778DA000-memory.dmp

Filesize
1000KB

Download
memory/2424-207-0x00000000776C0000-0x00000000777DF000-memory.dmp

Filesize
1.1MB

Download
memory/2432-191-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2432-189-0x00000000031C0000-0x000000000321C000-memory.dmp

Filesize
368KB

Download
memory/2532-53-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2532-47-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2560-56-0x0000000003320000-0x000000000337C000-memory.dmp

Filesize
368KB

Download
memory/2560-59-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2604-156-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2632-46-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-204-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2716-37-0x0000000003170000-0x00000000031CC000-memory.dmp

Filesize
368KB

Download
memory/2716-31-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2716-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2716-38-0x0000000003170000-0x00000000031CC000-memory.dmp

Filesize
368KB

Download
memory/2720-143-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2736-144-0x0000000002FD0000-0x000000000302C000-memory.dmp

Filesize
368KB

Download
memory/2736-146-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2740-30-0x0000000003100000-0x000000000315C000-memory.dmp

Filesize
368KB

Download
memory/2788-26-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2788-24-0x0000000003210000-0x000000000326C000-memory.dmp

Filesize
368KB

Download
memory/2796-154-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2796-152-0x00000000035C0000-0x000000000361C000-memory.dmp

Filesize
368KB

Download
memory/2796-151-0x00000000035C0000-0x000000000361C000-memory.dmp

Filesize
368KB

Download
memory/2816-150-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-148-0x0000000003320000-0x000000000337C000-memory.dmp

Filesize
368KB

Download
memory/2816-147-0x0000000003320000-0x000000000337C000-memory.dmp

Filesize
368KB

Download
memory/2892-169-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2892-167-0x0000000003430000-0x000000000348C000-memory.dmp

Filesize
368KB

Download
memory/2896-162-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2940-164-0x0000000003580000-0x00000000035DC000-memory.dmp

Filesize
368KB

Download
memory/2940-166-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2940-163-0x0000000003580000-0x00000000035DC000-memory.dmp

Filesize
368KB

Download
memory/2948-175-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2948-171-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2960-173-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2960-170-0x0000000002F80000-0x0000000002FDC000-memory.dmp

Filesize
368KB

Download
memory/2988-76-0x0000000003210000-0x000000000326C000-memory.dmp

Filesize
368KB

Download
memory/2988-79-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2988-74-0x0000000003210000-0x000000000326C000-memory.dmp

Filesize
368KB

Download