Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 14:54

General

  • Target

    a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe

  • Size

    142KB

  • MD5

    a28b528c73a2e5e06b5b535db03b9132

  • SHA1

    6b54ee539c8aacdb7b9cd5f6656977019e4c834e

  • SHA256

    c57f93ef59e128b92725fa21ea639eef5762db792fd5d9f408a439de976f7573

  • SHA512

    485e1ad7ac5781a36ade8e6c233d76c97c723790a3a9c7c817b307023a77d05f295e9933ad9a6da3ef309f4c93acb04102ea2013f62d24c1a33f5fca395a09d4

  • SSDEEP

    3072:9N4+69jpWSbgg8LFBAXmlwpqUFCYKwi5s/b:/47jFEgYnA7D1iM

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Metasploit family
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Windows\SysWOW64\wiacmfgr.exe
        "C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\A28B52~1.EXE
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\wiacmfgr.exe
          "C:\Windows\system32\wiacmfgr.exe" C:\Users\Admin\AppData\Local\Temp\A28B52~1.EXE
          4⤵
          • Checks computer location settings
          • Deletes itself
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1880
          • C:\Windows\SysWOW64\wiacmfgr.exe
            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\wiacmfgr.exe
              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2152
              • C:\Windows\SysWOW64\wiacmfgr.exe
                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2200
                • C:\Windows\SysWOW64\wiacmfgr.exe
                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1804
                  • C:\Windows\SysWOW64\wiacmfgr.exe
                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                    9⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2212
                    • C:\Windows\SysWOW64\wiacmfgr.exe
                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1100
                      • C:\Windows\SysWOW64\wiacmfgr.exe
                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                        11⤵
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:1288
                        • C:\Windows\SysWOW64\wiacmfgr.exe
                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3964
                          • C:\Windows\SysWOW64\wiacmfgr.exe
                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                            13⤵
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of SetThreadContext
                            PID:2804
                            • C:\Windows\SysWOW64\wiacmfgr.exe
                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1792
                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                15⤵
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:1424
                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3108
                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of SetThreadContext
                                    PID:4376
                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1340
                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:1448
                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3352
                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:408
                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2680
                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                PID:400
                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3524
                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Suspicious use of SetThreadContext
                                                    PID:5108
                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:4612
                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:744
                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:4692
                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            PID:3240
                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:4936
                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3912
                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:2064
                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3708
                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:1108
                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1464
                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:3056
                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Checks whether UAC is enabled
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:2044
                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:732
                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Suspicious use of SetThreadContext
                                                                                PID:1520
                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                  40⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:3888
                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:2944
                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                      42⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:1496
                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Checks whether UAC is enabled
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:4828
                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:4820
                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Checks whether UAC is enabled
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:1640
                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:3556
                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Checks whether UAC is enabled
                                                                                                • Suspicious use of SetThreadContext
                                                                                                PID:3212
                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:4248
                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Checks whether UAC is enabled
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:1448
                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      PID:2248
                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Checks whether UAC is enabled
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:408
                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                          52⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          PID:2028
                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Checks whether UAC is enabled
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            PID:2908
                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                              54⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:5072
                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Checks whether UAC is enabled
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                PID:4636
                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:4436
                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Checks whether UAC is enabled
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:4916
                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                      58⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      PID:1512
                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Checks whether UAC is enabled
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:3900
                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                          60⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          PID:3448
                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Checks whether UAC is enabled
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            PID:2380
                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                              62⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              PID:4188
                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:3052
                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                  64⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry class
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  PID:4380
                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2564
                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                      66⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:3724
                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                        67⤵
                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:3492
                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                          68⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Modifies registry class
                                                                                                                                          PID:5096
                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                            69⤵
                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:1672
                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                              70⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:2956
                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                71⤵
                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                PID:3496
                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:2060
                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    PID:4480
                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:1576
                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5088
                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:1748
                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            PID:3940
                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              • Modifies registry class
                                                                                                                                                              PID:3032
                                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                PID:3156
                                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:1424
                                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                    PID:4376
                                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:4552
                                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        PID:2324
                                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                          84⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:3176
                                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                            85⤵
                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:3956
                                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                              86⤵
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:2348
                                                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                87⤵
                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                PID:2660
                                                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                  88⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:2632
                                                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                    89⤵
                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:556
                                                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                      90⤵
                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:4636
                                                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                        91⤵
                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                        PID:3896
                                                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                          92⤵
                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:3988
                                                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                            93⤵
                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:4624
                                                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                              94⤵
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:552
                                                                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                95⤵
                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:804
                                                                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                  96⤵
                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                  PID:1800
                                                                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                    97⤵
                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:116
                                                                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                      98⤵
                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:1580
                                                                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                        99⤵
                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        PID:3216
                                                                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                          100⤵
                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          PID:2204
                                                                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                            101⤵
                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:4844
                                                                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                              102⤵
                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:1324
                                                                                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                103⤵
                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:2760
                                                                                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                  104⤵
                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                  PID:404
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:4360
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                      106⤵
                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:3892
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:2460
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                          108⤵
                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:4496
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                            PID:4316
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                              110⤵
                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                              PID:4600
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                111⤵
                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:3940
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                  112⤵
                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  PID:3276
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                    113⤵
                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                    PID:3400
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                      114⤵
                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                      PID:4072
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                        115⤵
                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                        PID:3812
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                          116⤵
                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:2524
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                            117⤵
                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                            PID:4528
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                              118⤵
                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                              PID:4724
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                119⤵
                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                PID:2668
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                  120⤵
                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:3100
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                    121⤵
                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    PID:4140
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                      122⤵
                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                      PID:3196
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                        123⤵
                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                        PID:4452
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                          124⤵
                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                          PID:744
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                            125⤵
                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                            PID:440
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                              126⤵
                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                              PID:1512
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                127⤵
                                                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                PID:1096
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                  128⤵
                                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                  PID:3004
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                    129⤵
                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                    PID:4388
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                      "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                      130⤵
                                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                      PID:640
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                        "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                        131⤵
                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                        PID:1908
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                          "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                          132⤵
                                                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                          PID:4940
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                            "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                            133⤵
                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                            PID:864
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                              "C:\Windows\system32\wiacmfgr.exe" C:\Windows\SysWOW64\wiacmfgr.exe
                                                                                                                                                                                                                                                                              134⤵
                                                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                              PID:1960

Network

  • flag-us
    DNS
    rix.messenger-update.ru
    a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    rix.messenger-update.ru
    IN A
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
No results found
  • 8.8.8.8:53
    rix.messenger-update.ru
    dns
    a28b528c73a2e5e06b5b535db03b9132_JaffaCakes118.exe
    69 B
    130 B
    1
    1

    DNS Request

    rix.messenger-update.ru

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    21.236.111.52.in-addr.arpa

    DNS Request

    21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\wiacmfgr.exe

    Filesize

    142KB

    MD5

    a28b528c73a2e5e06b5b535db03b9132

    SHA1

    6b54ee539c8aacdb7b9cd5f6656977019e4c834e

    SHA256

    c57f93ef59e128b92725fa21ea639eef5762db792fd5d9f408a439de976f7573

    SHA512

    485e1ad7ac5781a36ade8e6c233d76c97c723790a3a9c7c817b307023a77d05f295e9933ad9a6da3ef309f4c93acb04102ea2013f62d24c1a33f5fca395a09d4

  • memory/404-411-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/552-381-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/640-489-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/732-206-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/744-471-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1100-97-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1108-189-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1324-405-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1340-125-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1424-339-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1496-222-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1512-477-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1512-273-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1576-321-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1580-393-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1748-327-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1792-111-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1800-387-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1804-90-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1880-70-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1880-72-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1880-73-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1880-71-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/1880-74-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2028-255-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2060-315-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2064-181-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2152-80-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2152-83-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2204-399-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2248-249-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2348-357-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2524-447-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2632-363-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2680-139-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2956-309-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3004-483-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3032-333-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3056-198-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3100-459-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3108-118-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3176-351-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3196-465-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3276-435-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3352-133-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3352-130-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3448-279-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3524-147-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3556-237-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3620-65-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3620-3-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3620-0-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3620-4-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3620-2-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3724-297-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3888-214-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3892-417-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3964-103-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/3988-375-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4072-441-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4188-285-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4248-243-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4380-291-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4436-267-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4496-423-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4552-345-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4600-429-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4612-157-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4636-369-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4692-165-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4724-453-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4820-230-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4936-173-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/4940-495-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/5072-261-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/5096-303-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.