metasploit | ddecfded7db6f7877e022d2a0c5175acaf4b38d2078ebd281cca09d45ece2f50

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/12/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Size

172KB
MD5

c8330861d83f29369ce25b0ee9dc58f8
SHA1

8722c3626740f3c3ae152a83c2c0d16d61efee74
SHA256

ddecfded7db6f7877e022d2a0c5175acaf4b38d2078ebd281cca09d45ece2f50
SHA512

472af193b1089ce72a0e9a4610561eadad535dcc96482e31ae46918e9eed25ac5c119ac492bae11b4effd09761fba67867fe6ea7db8d1a4e703fe5f1a2653817
SSDEEP

3072:hlCEKWX/bM97h4N9U+TrIIfMAmm5BCPbdCAW3MFehirTuyVr6g:ha2g9N4Y+/3m2BCPRC1wVr

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2780	wmpfn1.exe

Executes dropped EXE 64 IoCs

pid	Process
1656	wmpfn1.exe
2780	wmpfn1.exe
2600	wmpfn1.exe
2632	wmpfn1.exe
1028	wmpfn1.exe
2816	wmpfn1.exe
376	wmpfn1.exe
1940	wmpfn1.exe
2892	wmpfn1.exe
3048	wmpfn1.exe
1484	wmpfn1.exe
2208	wmpfn1.exe
1504	wmpfn1.exe
1804	wmpfn1.exe
1124	wmpfn1.exe
1268	wmpfn1.exe
2084	wmpfn1.exe
2412	wmpfn1.exe
1544	wmpfn1.exe
2464	wmpfn1.exe
2320	wmpfn1.exe
1060	wmpfn1.exe
2784	wmpfn1.exe
2724	wmpfn1.exe
2708	wmpfn1.exe
2576	wmpfn1.exe
3036	wmpfn1.exe
2644	wmpfn1.exe
1632	wmpfn1.exe
1944	wmpfn1.exe
1312	wmpfn1.exe
2384	wmpfn1.exe
2912	wmpfn1.exe
2228	wmpfn1.exe
584	wmpfn1.exe
448	wmpfn1.exe
988	wmpfn1.exe
704	wmpfn1.exe
1304	wmpfn1.exe
912	wmpfn1.exe
2312	wmpfn1.exe
1488	wmpfn1.exe
1512	wmpfn1.exe
2308	wmpfn1.exe
1608	wmpfn1.exe
2368	wmpfn1.exe
2796	wmpfn1.exe
2772	wmpfn1.exe
1592	wmpfn1.exe
3056	wmpfn1.exe
2896	wmpfn1.exe
1540	wmpfn1.exe
1564	wmpfn1.exe
1936	wmpfn1.exe
2276	wmpfn1.exe
1312	wmpfn1.exe
2476	wmpfn1.exe
2252	wmpfn1.exe
2372	wmpfn1.exe
1480	wmpfn1.exe
612	wmpfn1.exe
1868	wmpfn1.exe
1560	wmpfn1.exe
1004	wmpfn1.exe

Loads dropped DLL 64 IoCs

pid	Process
2056	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
2056	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
1656	wmpfn1.exe
2780	wmpfn1.exe
2780	wmpfn1.exe
2632	wmpfn1.exe
2632	wmpfn1.exe
2816	wmpfn1.exe
2816	wmpfn1.exe
1940	wmpfn1.exe
1940	wmpfn1.exe
3048	wmpfn1.exe
3048	wmpfn1.exe
2208	wmpfn1.exe
2208	wmpfn1.exe
1804	wmpfn1.exe
1804	wmpfn1.exe
1268	wmpfn1.exe
1268	wmpfn1.exe
2412	wmpfn1.exe
2412	wmpfn1.exe
2464	wmpfn1.exe
2464	wmpfn1.exe
1060	wmpfn1.exe
1060	wmpfn1.exe
2724	wmpfn1.exe
2724	wmpfn1.exe
2576	wmpfn1.exe
2576	wmpfn1.exe
2644	wmpfn1.exe
2644	wmpfn1.exe
1944	wmpfn1.exe
1944	wmpfn1.exe
2384	wmpfn1.exe
2384	wmpfn1.exe
2228	wmpfn1.exe
2228	wmpfn1.exe
448	wmpfn1.exe
448	wmpfn1.exe
704	wmpfn1.exe
704	wmpfn1.exe
912	wmpfn1.exe
912	wmpfn1.exe
1488	wmpfn1.exe
1488	wmpfn1.exe
2308	wmpfn1.exe
2308	wmpfn1.exe
2368	wmpfn1.exe
2368	wmpfn1.exe
2772	wmpfn1.exe
2772	wmpfn1.exe
3056	wmpfn1.exe
3056	wmpfn1.exe
1540	wmpfn1.exe
1540	wmpfn1.exe
1936	wmpfn1.exe
1936	wmpfn1.exe
1312	wmpfn1.exe
1312	wmpfn1.exe
2252	wmpfn1.exe
2252	wmpfn1.exe
1480	wmpfn1.exe
1480	wmpfn1.exe
1868	wmpfn1.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpfn1.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File created	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\wmpfn1.exe	wmpfn1.exe
File opened for modification	C:\Windows\SysWOW64\	wmpfn1.exe

Suspicious use of SetThreadContext 56 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 1656 set thread context of 2780	1656	wmpfn1.exe	33
PID 2600 set thread context of 2632	2600	wmpfn1.exe	35
PID 1028 set thread context of 2816	1028	wmpfn1.exe	37
PID 376 set thread context of 1940	376	wmpfn1.exe	39
PID 2892 set thread context of 3048	2892	wmpfn1.exe	41
PID 1484 set thread context of 2208	1484	wmpfn1.exe	43
PID 1504 set thread context of 1804	1504	wmpfn1.exe	45
PID 1124 set thread context of 1268	1124	wmpfn1.exe	47
PID 2084 set thread context of 2412	2084	wmpfn1.exe	49
PID 1544 set thread context of 2464	1544	wmpfn1.exe	51
PID 2320 set thread context of 1060	2320	wmpfn1.exe	53
PID 2784 set thread context of 2724	2784	wmpfn1.exe	55
PID 2708 set thread context of 2576	2708	wmpfn1.exe	57
PID 3036 set thread context of 2644	3036	wmpfn1.exe	59
PID 1632 set thread context of 1944	1632	wmpfn1.exe	61
PID 1312 set thread context of 2384	1312	wmpfn1.exe	63
PID 2912 set thread context of 2228	2912	wmpfn1.exe	65
PID 584 set thread context of 448	584	wmpfn1.exe	67
PID 988 set thread context of 704	988	wmpfn1.exe	69
PID 1304 set thread context of 912	1304	wmpfn1.exe	71
PID 2312 set thread context of 1488	2312	wmpfn1.exe	73
PID 1512 set thread context of 2308	1512	wmpfn1.exe	75
PID 1608 set thread context of 2368	1608	wmpfn1.exe	77
PID 2796 set thread context of 2772	2796	wmpfn1.exe	79
PID 1592 set thread context of 3056	1592	wmpfn1.exe	81
PID 2896 set thread context of 1540	2896	wmpfn1.exe	83
PID 1564 set thread context of 1936	1564	wmpfn1.exe	85
PID 2276 set thread context of 1312	2276	wmpfn1.exe	87
PID 2476 set thread context of 2252	2476	wmpfn1.exe	89
PID 2372 set thread context of 1480	2372	wmpfn1.exe	91
PID 612 set thread context of 1868	612	wmpfn1.exe	93
PID 1560 set thread context of 1004	1560	wmpfn1.exe	95
PID 1672 set thread context of 2248	1672	wmpfn1.exe	97
PID 896 set thread context of 592	896	wmpfn1.exe	99
PID 1156 set thread context of 2152	1156	wmpfn1.exe	101
PID 2128 set thread context of 2768	2128	wmpfn1.exe	103
PID 2908 set thread context of 2744	2908	wmpfn1.exe	105
PID 2060 set thread context of 2580	2060	wmpfn1.exe	107
PID 2824 set thread context of 2856	2824	wmpfn1.exe	109
PID 1564 set thread context of 1980	1564	wmpfn1.exe	111
PID 2928 set thread context of 2232	2928	wmpfn1.exe	113
PID 2400 set thread context of 3004	2400	wmpfn1.exe	115
PID 2288 set thread context of 2964	2288	wmpfn1.exe	117
PID 1628 set thread context of 924	1628	wmpfn1.exe	119
PID 1596 set thread context of 2084	1596	wmpfn1.exe	121
PID 2140 set thread context of 780	2140	wmpfn1.exe	123
PID 1580 set thread context of 1956	1580	wmpfn1.exe	125
PID 876 set thread context of 1928	876	wmpfn1.exe	127
PID 2984 set thread context of 2764	2984	wmpfn1.exe	129
PID 2640 set thread context of 1440	2640	wmpfn1.exe	131
PID 868 set thread context of 2636	868	wmpfn1.exe	133
PID 2388 set thread context of 2704	2388	wmpfn1.exe	135
PID 1372 set thread context of 3044	1372	wmpfn1.exe	137
PID 2200 set thread context of 2268	2200	wmpfn1.exe	139
PID 584 set thread context of 1016	584	wmpfn1.exe	141

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2056-5-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-14-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-15-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-13-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-12-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-10-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-6-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2056-28-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2780-40-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2780-41-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2780-42-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2780-47-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2632-67-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2816-79-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2816-78-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2816-77-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2816-85-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1940-103-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/3048-121-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2208-139-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1804-157-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1268-167-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1268-177-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2412-195-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2464-213-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1060-232-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2724-249-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2576-267-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2644-281-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1944-295-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2384-311-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2228-323-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/448-337-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/704-351-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/912-365-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1488-379-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2308-393-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2368-407-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2772-421-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/3056-435-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1540-449-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1936-463-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1312-477-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2252-491-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1480-505-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1868-519-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1004-533-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2248-547-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/592-561-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2152-575-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2768-590-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2744-603-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2580-617-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2856-631-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1980-645-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2232-659-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/3004-673-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2964-687-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/924-701-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2084-715-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/780-729-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1956-743-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1928-757-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2764-771-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpfn1.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2056	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
2780	wmpfn1.exe
2632	wmpfn1.exe
2816	wmpfn1.exe
1940	wmpfn1.exe
3048	wmpfn1.exe
2208	wmpfn1.exe
1804	wmpfn1.exe
1268	wmpfn1.exe
2412	wmpfn1.exe
2464	wmpfn1.exe
1060	wmpfn1.exe
2724	wmpfn1.exe
2576	wmpfn1.exe
2644	wmpfn1.exe
1944	wmpfn1.exe
2384	wmpfn1.exe
2228	wmpfn1.exe
448	wmpfn1.exe
704	wmpfn1.exe
912	wmpfn1.exe
1488	wmpfn1.exe
2308	wmpfn1.exe
2368	wmpfn1.exe
2772	wmpfn1.exe
3056	wmpfn1.exe
1540	wmpfn1.exe
1936	wmpfn1.exe
1312	wmpfn1.exe
2252	wmpfn1.exe
1480	wmpfn1.exe
1868	wmpfn1.exe
1004	wmpfn1.exe
2248	wmpfn1.exe
592	wmpfn1.exe
2152	wmpfn1.exe
2768	wmpfn1.exe
2744	wmpfn1.exe
2580	wmpfn1.exe
2856	wmpfn1.exe
1980	wmpfn1.exe
2232	wmpfn1.exe
3004	wmpfn1.exe
2964	wmpfn1.exe
924	wmpfn1.exe
2084	wmpfn1.exe
780	wmpfn1.exe
1956	wmpfn1.exe
1928	wmpfn1.exe
2764	wmpfn1.exe
1440	wmpfn1.exe
2636	wmpfn1.exe
2704	wmpfn1.exe
3044	wmpfn1.exe
2268	wmpfn1.exe
1016	wmpfn1.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
1656	wmpfn1.exe
2600	wmpfn1.exe
1028	wmpfn1.exe
376	wmpfn1.exe
2892	wmpfn1.exe
1484	wmpfn1.exe
1504	wmpfn1.exe
1124	wmpfn1.exe
2084	wmpfn1.exe
1544	wmpfn1.exe
2320	wmpfn1.exe
2784	wmpfn1.exe
2708	wmpfn1.exe
3036	wmpfn1.exe
1632	wmpfn1.exe
1312	wmpfn1.exe
2912	wmpfn1.exe
584	wmpfn1.exe
988	wmpfn1.exe
1304	wmpfn1.exe
2312	wmpfn1.exe
1512	wmpfn1.exe
1608	wmpfn1.exe
2796	wmpfn1.exe
1592	wmpfn1.exe
2896	wmpfn1.exe
1564	wmpfn1.exe
2276	wmpfn1.exe
2476	wmpfn1.exe
2372	wmpfn1.exe
612	wmpfn1.exe
1560	wmpfn1.exe
1672	wmpfn1.exe
896	wmpfn1.exe
1156	wmpfn1.exe
2128	wmpfn1.exe
2908	wmpfn1.exe
2060	wmpfn1.exe
2824	wmpfn1.exe
1564	wmpfn1.exe
2928	wmpfn1.exe
2400	wmpfn1.exe
2288	wmpfn1.exe
1628	wmpfn1.exe
1596	wmpfn1.exe
2140	wmpfn1.exe
1580	wmpfn1.exe
876	wmpfn1.exe
2984	wmpfn1.exe
2640	wmpfn1.exe
868	wmpfn1.exe
2388	wmpfn1.exe
1372	wmpfn1.exe
2200	wmpfn1.exe
584	wmpfn1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2056	2356	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	30
PID 2056 wrote to memory of 1656	2056	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	32
PID 2056 wrote to memory of 1656	2056	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	32
PID 2056 wrote to memory of 1656	2056	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	32
PID 2056 wrote to memory of 1656	2056	c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe	32
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 1656 wrote to memory of 2780	1656	wmpfn1.exe	33
PID 2780 wrote to memory of 2600	2780	wmpfn1.exe	34
PID 2780 wrote to memory of 2600	2780	wmpfn1.exe	34
PID 2780 wrote to memory of 2600	2780	wmpfn1.exe	34
PID 2780 wrote to memory of 2600	2780	wmpfn1.exe	34
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2600 wrote to memory of 2632	2600	wmpfn1.exe	35
PID 2632 wrote to memory of 1028	2632	wmpfn1.exe	36
PID 2632 wrote to memory of 1028	2632	wmpfn1.exe	36
PID 2632 wrote to memory of 1028	2632	wmpfn1.exe	36
PID 2632 wrote to memory of 1028	2632	wmpfn1.exe	36
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 1028 wrote to memory of 2816	1028	wmpfn1.exe	37
PID 2816 wrote to memory of 376	2816	wmpfn1.exe	38
PID 2816 wrote to memory of 376	2816	wmpfn1.exe	38
PID 2816 wrote to memory of 376	2816	wmpfn1.exe	38
PID 2816 wrote to memory of 376	2816	wmpfn1.exe	38
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 376 wrote to memory of 1940	376	wmpfn1.exe	39
PID 1940 wrote to memory of 2892	1940	wmpfn1.exe	40
PID 1940 wrote to memory of 2892	1940	wmpfn1.exe	40
PID 1940 wrote to memory of 2892	1940	wmpfn1.exe	40
PID 1940 wrote to memory of 2892	1940	wmpfn1.exe	40
PID 2892 wrote to memory of 3048	2892	wmpfn1.exe	41
PID 2892 wrote to memory of 3048	2892	wmpfn1.exe	41
PID 2892 wrote to memory of 3048	2892	wmpfn1.exe	41
PID 2892 wrote to memory of 3048	2892	wmpfn1.exe	41

C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c8330861d83f29369ce25b0ee9dc58f8_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\wmpfn1.exe
    "C:\Windows\system32\wmpfn1.exe" C:\Users\Admin\AppData\Local\Temp\C83308~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\wmpfn1.exe
      "C:\Windows\SysWOW64\wmpfn1.exe" C:\Users\Admin\AppData\Local\Temp\C83308~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1004
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        68⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        70⤵
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:592
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        72⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        74⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        76⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        78⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        80⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        81⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        82⤵
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        84⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        86⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        88⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        90⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        92⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        94⤵
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:780
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        96⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        97⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        100⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        101⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        102⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        103⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        104⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        106⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        108⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        109⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        110⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\system32\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        111⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Windows\SysWOW64\wmpfn1.exe
        
        "C:\Windows\SysWOW64\wmpfn1.exe" C:\Windows\SysWOW64\wmpfn1.exe
        112⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wmpfn1.exe

Filesize
172KB

MD5
c8330861d83f29369ce25b0ee9dc58f8

SHA1
8722c3626740f3c3ae152a83c2c0d16d61efee74

SHA256
ddecfded7db6f7877e022d2a0c5175acaf4b38d2078ebd281cca09d45ece2f50

SHA512
472af193b1089ce72a0e9a4610561eadad535dcc96482e31ae46918e9eed25ac5c119ac492bae11b4effd09761fba67867fe6ea7db8d1a4e703fe5f1a2653817

Download Submit
memory/448-337-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/592-561-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/704-351-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/780-729-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/912-365-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/924-701-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1004-533-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1060-232-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1268-177-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1268-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1312-477-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1440-785-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1480-505-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1488-379-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1540-449-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1804-157-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-519-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1928-757-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-463-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1940-103-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1944-295-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1956-743-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1980-645-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-28-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2084-715-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2152-575-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2208-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2228-323-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2232-659-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2248-547-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2252-491-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2268-841-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2308-393-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2368-407-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2384-311-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2412-195-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2464-213-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2576-267-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2580-617-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2632-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2636-799-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2644-281-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2704-813-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2724-249-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2744-603-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2764-771-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2768-590-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2772-421-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2780-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2780-41-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2780-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2780-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-77-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-85-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-78-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-79-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2856-631-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2964-687-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3004-673-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3044-827-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3048-121-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3056-435-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download