metasploit | a63b74ead0e28dc9b9873cd15e65d656f0694ddfacd0f78965c291d0e87879f9

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
Size

253KB
MD5

a763573243b374b99bbeed9710709da3
SHA1

b8c74fc1e56689c1d0ed303ca4deda31a50e5a97
SHA256

a63b74ead0e28dc9b9873cd15e65d656f0694ddfacd0f78965c291d0e87879f9
SHA512

2a877d2ad008534fa963130ad5c866d82852f1fa287f26e525dd9c9a3945a0f400a2aab5e82b38f2d5b329b06cefb304e3c3723fce1e887666170e42d3f2a9f8
SSDEEP

6144:wohZUPi4NiH5rGPm0gTOjpFfu/Db5l/kPjomLT:VhZ+uOXunijL

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wmpxc2.exe

Deletes itself 1 IoCs

pid	Process
1228	wmpxc2.exe

Executes dropped EXE 48 IoCs

pid	Process
1228	wmpxc2.exe
4964	wmpxc2.exe
4180	wmpxc2.exe
2188	wmpxc2.exe
1416	wmpxc2.exe
1492	wmpxc2.exe
1292	wmpxc2.exe
4248	wmpxc2.exe
2064	wmpxc2.exe
3540	wmpxc2.exe
1236	wmpxc2.exe
2268	wmpxc2.exe
1616	wmpxc2.exe
4804	wmpxc2.exe
2576	wmpxc2.exe
4400	wmpxc2.exe
4828	wmpxc2.exe
4292	wmpxc2.exe
1500	wmpxc2.exe
4316	wmpxc2.exe
888	wmpxc2.exe
1936	wmpxc2.exe
4500	wmpxc2.exe
3500	wmpxc2.exe
2676	wmpxc2.exe
3084	wmpxc2.exe
472	wmpxc2.exe
1440	wmpxc2.exe
1092	wmpxc2.exe
4700	wmpxc2.exe
2240	wmpxc2.exe
4432	wmpxc2.exe
3840	wmpxc2.exe
4436	wmpxc2.exe
4576	wmpxc2.exe
3508	wmpxc2.exe
4996	wmpxc2.exe
3728	wmpxc2.exe
4724	wmpxc2.exe
2804	wmpxc2.exe
5040	wmpxc2.exe
1068	wmpxc2.exe
5000	wmpxc2.exe
4440	wmpxc2.exe
3616	wmpxc2.exe
3280	wmpxc2.exe
4100	wmpxc2.exe
2096	wmpxc2.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpxc2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmpxc2.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File created	C:\Windows\SysWOW64\wmpxc2.exe	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe
File opened for modification	C:\Windows\SysWOW64\	wmpxc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpxc2.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpxc2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
2924	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
1228	wmpxc2.exe
1228	wmpxc2.exe
4964	wmpxc2.exe
4964	wmpxc2.exe
4180	wmpxc2.exe
4180	wmpxc2.exe
2188	wmpxc2.exe
2188	wmpxc2.exe
1416	wmpxc2.exe
1416	wmpxc2.exe
1492	wmpxc2.exe
1492	wmpxc2.exe
1292	wmpxc2.exe
1292	wmpxc2.exe
4248	wmpxc2.exe
4248	wmpxc2.exe
2064	wmpxc2.exe
2064	wmpxc2.exe
3540	wmpxc2.exe
3540	wmpxc2.exe
1236	wmpxc2.exe
1236	wmpxc2.exe
2268	wmpxc2.exe
2268	wmpxc2.exe
1616	wmpxc2.exe
1616	wmpxc2.exe
4804	wmpxc2.exe
4804	wmpxc2.exe
2576	wmpxc2.exe
2576	wmpxc2.exe
4400	wmpxc2.exe
4400	wmpxc2.exe
4828	wmpxc2.exe
4828	wmpxc2.exe
4292	wmpxc2.exe
4292	wmpxc2.exe
1500	wmpxc2.exe
1500	wmpxc2.exe
4316	wmpxc2.exe
4316	wmpxc2.exe
888	wmpxc2.exe
888	wmpxc2.exe
1936	wmpxc2.exe
1936	wmpxc2.exe
4500	wmpxc2.exe
4500	wmpxc2.exe
3500	wmpxc2.exe
3500	wmpxc2.exe
2676	wmpxc2.exe
2676	wmpxc2.exe
3084	wmpxc2.exe
3084	wmpxc2.exe
472	wmpxc2.exe
472	wmpxc2.exe
1440	wmpxc2.exe
1440	wmpxc2.exe
1092	wmpxc2.exe
1092	wmpxc2.exe
4700	wmpxc2.exe
4700	wmpxc2.exe
2240	wmpxc2.exe
2240	wmpxc2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1228	2924	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe	83
PID 2924 wrote to memory of 1228	2924	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe	83
PID 2924 wrote to memory of 1228	2924	a763573243b374b99bbeed9710709da3_JaffaCakes118.exe	83
PID 1228 wrote to memory of 4964	1228	wmpxc2.exe	90
PID 1228 wrote to memory of 4964	1228	wmpxc2.exe	90
PID 1228 wrote to memory of 4964	1228	wmpxc2.exe	90
PID 4964 wrote to memory of 4180	4964	wmpxc2.exe	93
PID 4964 wrote to memory of 4180	4964	wmpxc2.exe	93
PID 4964 wrote to memory of 4180	4964	wmpxc2.exe	93
PID 4180 wrote to memory of 2188	4180	wmpxc2.exe	98
PID 4180 wrote to memory of 2188	4180	wmpxc2.exe	98
PID 4180 wrote to memory of 2188	4180	wmpxc2.exe	98
PID 2188 wrote to memory of 1416	2188	wmpxc2.exe	99
PID 2188 wrote to memory of 1416	2188	wmpxc2.exe	99
PID 2188 wrote to memory of 1416	2188	wmpxc2.exe	99
PID 1416 wrote to memory of 1492	1416	wmpxc2.exe	100
PID 1416 wrote to memory of 1492	1416	wmpxc2.exe	100
PID 1416 wrote to memory of 1492	1416	wmpxc2.exe	100
PID 1492 wrote to memory of 1292	1492	wmpxc2.exe	101
PID 1492 wrote to memory of 1292	1492	wmpxc2.exe	101
PID 1492 wrote to memory of 1292	1492	wmpxc2.exe	101
PID 1292 wrote to memory of 4248	1292	wmpxc2.exe	102
PID 1292 wrote to memory of 4248	1292	wmpxc2.exe	102
PID 1292 wrote to memory of 4248	1292	wmpxc2.exe	102
PID 4248 wrote to memory of 2064	4248	wmpxc2.exe	103
PID 4248 wrote to memory of 2064	4248	wmpxc2.exe	103
PID 4248 wrote to memory of 2064	4248	wmpxc2.exe	103
PID 2064 wrote to memory of 3540	2064	wmpxc2.exe	106
PID 2064 wrote to memory of 3540	2064	wmpxc2.exe	106
PID 2064 wrote to memory of 3540	2064	wmpxc2.exe	106
PID 3540 wrote to memory of 1236	3540	wmpxc2.exe	107
PID 3540 wrote to memory of 1236	3540	wmpxc2.exe	107
PID 3540 wrote to memory of 1236	3540	wmpxc2.exe	107
PID 1236 wrote to memory of 2268	1236	wmpxc2.exe	109
PID 1236 wrote to memory of 2268	1236	wmpxc2.exe	109
PID 1236 wrote to memory of 2268	1236	wmpxc2.exe	109
PID 2268 wrote to memory of 1616	2268	wmpxc2.exe	110
PID 2268 wrote to memory of 1616	2268	wmpxc2.exe	110
PID 2268 wrote to memory of 1616	2268	wmpxc2.exe	110
PID 1616 wrote to memory of 4804	1616	wmpxc2.exe	111
PID 1616 wrote to memory of 4804	1616	wmpxc2.exe	111
PID 1616 wrote to memory of 4804	1616	wmpxc2.exe	111
PID 4804 wrote to memory of 2576	4804	wmpxc2.exe	112
PID 4804 wrote to memory of 2576	4804	wmpxc2.exe	112
PID 4804 wrote to memory of 2576	4804	wmpxc2.exe	112
PID 2576 wrote to memory of 4400	2576	wmpxc2.exe	113
PID 2576 wrote to memory of 4400	2576	wmpxc2.exe	113
PID 2576 wrote to memory of 4400	2576	wmpxc2.exe	113
PID 4400 wrote to memory of 4828	4400	wmpxc2.exe	114
PID 4400 wrote to memory of 4828	4400	wmpxc2.exe	114
PID 4400 wrote to memory of 4828	4400	wmpxc2.exe	114
PID 4828 wrote to memory of 4292	4828	wmpxc2.exe	115
PID 4828 wrote to memory of 4292	4828	wmpxc2.exe	115
PID 4828 wrote to memory of 4292	4828	wmpxc2.exe	115
PID 4292 wrote to memory of 1500	4292	wmpxc2.exe	116
PID 4292 wrote to memory of 1500	4292	wmpxc2.exe	116
PID 4292 wrote to memory of 1500	4292	wmpxc2.exe	116
PID 1500 wrote to memory of 4316	1500	wmpxc2.exe	117
PID 1500 wrote to memory of 4316	1500	wmpxc2.exe	117
PID 1500 wrote to memory of 4316	1500	wmpxc2.exe	117
PID 4316 wrote to memory of 888	4316	wmpxc2.exe	118
PID 4316 wrote to memory of 888	4316	wmpxc2.exe	118
PID 4316 wrote to memory of 888	4316	wmpxc2.exe	118
PID 888 wrote to memory of 1936	888	wmpxc2.exe	119

C:\Users\Admin\AppData\Local\Temp\a763573243b374b99bbeed9710709da3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a763573243b374b99bbeed9710709da3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\wmpxc2.exe
  "C:\Windows\system32\wmpxc2.exe" C:\Users\Admin\AppData\Local\Temp\A76357~1.EXE
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\wmpxc2.exe
    "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\wmpxc2.exe
      "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4500
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3500
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3084
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:472
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1092
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\wmpxc2.exe
        
        "C:\Windows\system32\wmpxc2.exe" C:\Windows\SysWOW64\wmpxc2.exe
        49⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpxc2.exe

Filesize
253KB

MD5
a763573243b374b99bbeed9710709da3

SHA1
b8c74fc1e56689c1d0ed303ca4deda31a50e5a97

SHA256
a63b74ead0e28dc9b9873cd15e65d656f0694ddfacd0f78965c291d0e87879f9

SHA512
2a877d2ad008534fa963130ad5c866d82852f1fa287f26e525dd9c9a3945a0f400a2aab5e82b38f2d5b329b06cefb304e3c3723fce1e887666170e42d3f2a9f8

Download Submit
memory/472-132-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/888-114-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1068-180-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1068-186-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1092-141-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1092-136-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1228-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1228-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1228-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1228-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1236-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1292-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1416-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1440-137-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1492-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1500-107-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1616-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1616-85-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1936-116-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2064-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2188-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2240-148-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2268-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2576-90-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2576-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2676-126-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2804-178-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2924-4-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2924-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2924-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2924-1-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2924-2-0x0000000000477000-0x00000000004B6000-memory.dmp

Filesize
252KB

Download
memory/2924-3-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3084-130-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3280-199-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3500-124-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3508-166-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3540-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3540-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3616-195-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3728-172-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3840-156-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4100-202-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4100-197-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4180-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4180-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4248-69-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4292-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4316-111-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4316-106-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4400-97-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4432-152-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4436-160-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4440-192-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4500-120-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4576-163-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4700-144-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4724-175-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4804-91-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4828-100-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4964-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4964-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4996-169-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5000-189-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5000-184-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5040-182-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download