metasploit | f5d16e0ce939d7a58fe58500015320c962abca9f188e4d48503a67db858adb67

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
Size

154KB
MD5

d392ac090591df46727a9fa8b8988e14
SHA1

16e07eae431abd76dc7e4fd1a5ffb1a16701e3a5
SHA256

f5d16e0ce939d7a58fe58500015320c962abca9f188e4d48503a67db858adb67
SHA512

92da8420045b92ca6edff8f93db947ec43f09911f6b05ebe6cbd7d087e2e6dac527e8a29fd9d2c00bf57c0ae52bf2afa4e13054b6a430bdaa739428e1e9f9c67
SSDEEP

3072:WyehhK/H/wwmUnAntBnYnGLx11/WiN01/Kv:yhcfowGuG/1/WiN5

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
2664	wmpdv2.exe
556	wmpdv2.exe
2736	wmpdv2.exe
1336	wmpdv2.exe
1080	wmpdv2.exe
2152	wmpdv2.exe
1440	wmpdv2.exe
1300	wmpdv2.exe
916	wmpdv2.exe
2240	wmpdv2.exe
2388	wmpdv2.exe
2716	wmpdv2.exe
2672	wmpdv2.exe
604	wmpdv2.exe
2400	wmpdv2.exe
2248	wmpdv2.exe
2908	wmpdv2.exe
1244	wmpdv2.exe
2072	wmpdv2.exe
1228	wmpdv2.exe
1320	wmpdv2.exe
2296	wmpdv2.exe
2720	wmpdv2.exe
2792	wmpdv2.exe
2784	wmpdv2.exe
576	wmpdv2.exe
1128	wmpdv2.exe
1540	wmpdv2.exe
2912	wmpdv2.exe
2480	wmpdv2.exe
2160	wmpdv2.exe
2376	wmpdv2.exe
2812	wmpdv2.exe
2928	wmpdv2.exe
2060	wmpdv2.exe
2196	wmpdv2.exe
2504	wmpdv2.exe
572	wmpdv2.exe
1816	wmpdv2.exe
1756	wmpdv2.exe
2000	wmpdv2.exe
1948	wmpdv2.exe
1140	wmpdv2.exe
1368	wmpdv2.exe
2028	wmpdv2.exe
2804	wmpdv2.exe
2880	wmpdv2.exe
2608	wmpdv2.exe
2612	wmpdv2.exe
792	wmpdv2.exe
2488	wmpdv2.exe
764	wmpdv2.exe
1992	wmpdv2.exe
2088	wmpdv2.exe
316	wmpdv2.exe
1296	wmpdv2.exe
2132	wmpdv2.exe
1512	wmpdv2.exe
2392	wmpdv2.exe
1968	wmpdv2.exe
1068	wmpdv2.exe
1604	wmpdv2.exe
952	wmpdv2.exe
2460	wmpdv2.exe

Loads dropped DLL 64 IoCs

pid	Process
1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
2648	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
2648	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
2664	wmpdv2.exe
556	wmpdv2.exe
556	wmpdv2.exe
2736	wmpdv2.exe
1336	wmpdv2.exe
1336	wmpdv2.exe
1080	wmpdv2.exe
2152	wmpdv2.exe
2152	wmpdv2.exe
1440	wmpdv2.exe
1300	wmpdv2.exe
1300	wmpdv2.exe
916	wmpdv2.exe
2240	wmpdv2.exe
2240	wmpdv2.exe
2388	wmpdv2.exe
2716	wmpdv2.exe
2716	wmpdv2.exe
2672	wmpdv2.exe
604	wmpdv2.exe
604	wmpdv2.exe
2400	wmpdv2.exe
2248	wmpdv2.exe
2248	wmpdv2.exe
2908	wmpdv2.exe
1244	wmpdv2.exe
1244	wmpdv2.exe
2072	wmpdv2.exe
1228	wmpdv2.exe
1228	wmpdv2.exe
1320	wmpdv2.exe
2296	wmpdv2.exe
2296	wmpdv2.exe
2720	wmpdv2.exe
2792	wmpdv2.exe
2792	wmpdv2.exe
2784	wmpdv2.exe
576	wmpdv2.exe
576	wmpdv2.exe
1128	wmpdv2.exe
1540	wmpdv2.exe
1540	wmpdv2.exe
2912	wmpdv2.exe
2480	wmpdv2.exe
2480	wmpdv2.exe
2160	wmpdv2.exe
2376	wmpdv2.exe
2376	wmpdv2.exe
2812	wmpdv2.exe
2928	wmpdv2.exe
2928	wmpdv2.exe
2060	wmpdv2.exe
2196	wmpdv2.exe
2196	wmpdv2.exe
2504	wmpdv2.exe
572	wmpdv2.exe
572	wmpdv2.exe
1816	wmpdv2.exe
1756	wmpdv2.exe
1756	wmpdv2.exe
2000	wmpdv2.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File opened for modification	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe
File created	C:\Windows\SysWOW64\wmpdv2.exe	wmpdv2.exe

Suspicious use of SetThreadContext 42 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 2664 set thread context of 556	2664	wmpdv2.exe	30
PID 2736 set thread context of 1336	2736	wmpdv2.exe	32
PID 1080 set thread context of 2152	1080	wmpdv2.exe	34
PID 1440 set thread context of 1300	1440	wmpdv2.exe	36
PID 916 set thread context of 2240	916	wmpdv2.exe	38
PID 2388 set thread context of 2716	2388	wmpdv2.exe	40
PID 2672 set thread context of 604	2672	wmpdv2.exe	42
PID 2400 set thread context of 2248	2400	wmpdv2.exe	46
PID 2908 set thread context of 1244	2908	wmpdv2.exe	48
PID 2072 set thread context of 1228	2072	wmpdv2.exe	50
PID 1320 set thread context of 2296	1320	wmpdv2.exe	52
PID 2720 set thread context of 2792	2720	wmpdv2.exe	54
PID 2784 set thread context of 576	2784	wmpdv2.exe	56
PID 1128 set thread context of 1540	1128	wmpdv2.exe	58
PID 2912 set thread context of 2480	2912	wmpdv2.exe	60
PID 2160 set thread context of 2376	2160	wmpdv2.exe	62
PID 2812 set thread context of 2928	2812	wmpdv2.exe	64
PID 2060 set thread context of 2196	2060	wmpdv2.exe	66
PID 2504 set thread context of 572	2504	wmpdv2.exe	68
PID 1816 set thread context of 1756	1816	wmpdv2.exe	70
PID 2000 set thread context of 1948	2000	wmpdv2.exe	72
PID 1140 set thread context of 1368	1140	wmpdv2.exe	74
PID 2028 set thread context of 2804	2028	wmpdv2.exe	76
PID 2880 set thread context of 2608	2880	wmpdv2.exe	78
PID 2612 set thread context of 792	2612	wmpdv2.exe	80
PID 2488 set thread context of 764	2488	wmpdv2.exe	82
PID 1992 set thread context of 2088	1992	wmpdv2.exe	84
PID 316 set thread context of 1296	316	wmpdv2.exe	86
PID 2132 set thread context of 1512	2132	wmpdv2.exe	88
PID 2392 set thread context of 1968	2392	wmpdv2.exe	90
PID 1068 set thread context of 1604	1068	wmpdv2.exe	92
PID 952 set thread context of 2460	952	wmpdv2.exe	94
PID 1012 set thread context of 2996	1012	wmpdv2.exe	96
PID 2216 set thread context of 2208	2216	wmpdv2.exe	98
PID 812 set thread context of 2256	812	wmpdv2.exe	100
PID 1516 set thread context of 2892	1516	wmpdv2.exe	102
PID 2752 set thread context of 2672	2752	wmpdv2.exe	104
PID 896 set thread context of 2560	896	wmpdv2.exe	106
PID 2400 set thread context of 1808	2400	wmpdv2.exe	108
PID 3036 set thread context of 2472	3036	wmpdv2.exe	110
PID 568 set thread context of 2828	568	wmpdv2.exe	112

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-40-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2648-45-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2648-47-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2648-46-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2648-44-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2648-35-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2648-34-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2648-60-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/556-106-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/556-105-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/556-104-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/556-127-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1336-157-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1336-178-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2152-208-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2152-237-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1300-259-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1300-265-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2240-310-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2716-361-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2240-319-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2716-369-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/604-412-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/604-419-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2248-463-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2248-484-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1244-513-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1244-519-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1228-561-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1228-589-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2296-606-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2296-643-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2792-651-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2792-682-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/576-696-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/576-714-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1540-741-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1540-750-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2480-786-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2480-804-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2376-831-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2376-849-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2928-876-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2928-904-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2196-921-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2196-924-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/572-965-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1756-1011-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/572-1003-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1756-1016-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1948-1055-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1948-1074-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1368-1101-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1368-1107-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2804-1146-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2804-1149-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2608-1191-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2608-1208-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/792-1236-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/792-1254-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/764-1281-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/764-1299-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2088-1326-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2088-1344-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdv2.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2648	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
556	wmpdv2.exe
1336	wmpdv2.exe
2152	wmpdv2.exe
1300	wmpdv2.exe
2240	wmpdv2.exe
2716	wmpdv2.exe
604	wmpdv2.exe
2248	wmpdv2.exe
1244	wmpdv2.exe
1228	wmpdv2.exe
2296	wmpdv2.exe
2792	wmpdv2.exe
576	wmpdv2.exe
1540	wmpdv2.exe
2480	wmpdv2.exe
2376	wmpdv2.exe
2928	wmpdv2.exe
2196	wmpdv2.exe
572	wmpdv2.exe
1756	wmpdv2.exe
1948	wmpdv2.exe
1368	wmpdv2.exe
2804	wmpdv2.exe
2608	wmpdv2.exe
792	wmpdv2.exe
764	wmpdv2.exe
2088	wmpdv2.exe
1296	wmpdv2.exe
1512	wmpdv2.exe
1968	wmpdv2.exe
1604	wmpdv2.exe
2460	wmpdv2.exe
2996	wmpdv2.exe
2208	wmpdv2.exe
2256	wmpdv2.exe
2892	wmpdv2.exe
2672	wmpdv2.exe
2560	wmpdv2.exe
1808	wmpdv2.exe
2472	wmpdv2.exe
2828	wmpdv2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 1860 wrote to memory of 2648	1860	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	28
PID 2648 wrote to memory of 2664	2648	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	29
PID 2648 wrote to memory of 2664	2648	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	29
PID 2648 wrote to memory of 2664	2648	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	29
PID 2648 wrote to memory of 2664	2648	d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe	29
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 2664 wrote to memory of 556	2664	wmpdv2.exe	30
PID 556 wrote to memory of 2736	556	wmpdv2.exe	31
PID 556 wrote to memory of 2736	556	wmpdv2.exe	31
PID 556 wrote to memory of 2736	556	wmpdv2.exe	31
PID 556 wrote to memory of 2736	556	wmpdv2.exe	31
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 2736 wrote to memory of 1336	2736	wmpdv2.exe	32
PID 1336 wrote to memory of 1080	1336	wmpdv2.exe	33
PID 1336 wrote to memory of 1080	1336	wmpdv2.exe	33
PID 1336 wrote to memory of 1080	1336	wmpdv2.exe	33
PID 1336 wrote to memory of 1080	1336	wmpdv2.exe	33
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 1080 wrote to memory of 2152	1080	wmpdv2.exe	34
PID 2152 wrote to memory of 1440	2152	wmpdv2.exe	35
PID 2152 wrote to memory of 1440	2152	wmpdv2.exe	35
PID 2152 wrote to memory of 1440	2152	wmpdv2.exe	35
PID 2152 wrote to memory of 1440	2152	wmpdv2.exe	35
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1440 wrote to memory of 1300	1440	wmpdv2.exe	36
PID 1300 wrote to memory of 916	1300	wmpdv2.exe	37
PID 1300 wrote to memory of 916	1300	wmpdv2.exe	37
PID 1300 wrote to memory of 916	1300	wmpdv2.exe	37
PID 1300 wrote to memory of 916	1300	wmpdv2.exe	37
PID 916 wrote to memory of 2240	916	wmpdv2.exe	38
PID 916 wrote to memory of 2240	916	wmpdv2.exe	38
PID 916 wrote to memory of 2240	916	wmpdv2.exe	38
PID 916 wrote to memory of 2240	916	wmpdv2.exe	38

C:\Users\Admin\AppData\Local\Temp\d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\d392ac090591df46727a9fa8b8988e14_JaffaCakes118.exe
  ÇEüþÿÿÿè@ÿÿÂ
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\wmpdv2.exe
    "C:\Windows\system32\wmpdv2.exe" C:\Users\Admin\AppData\Local\Temp\D392AC~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\wmpdv2.exe
      ÇEüþÿÿÿè@ÿÿÂ
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2388
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2400
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1244
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1228
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1128
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2376
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2928
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2028
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:952
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1012
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        "C:\Windows\system32\wmpdv2.exe" C:\Windows\SysWOW64\wmpdv2.exe
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\wmpdv2.exe
        
        ÇEüþÿÿÿè@ÿÿÂ
        84⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AIJ.dll

Filesize
5KB

MD5
dd0ec24c1645070cb3b839dc545f4b6b

SHA1
1402c72102ee7b896303e980fc89a341a23205e5

SHA256
2ae8e7d0d9ea898b0313601b6ccd9d555c0dcb3a18f56d54268bde1d755faadb

SHA512
cd87466f1faf3042f568b4edbe34f4be61f8d4ffcbb82b6612e8407cf09490bd8d9a270ad078db4283e2dd54f6ea0aa34b2d335744a2febd602b782d4a5429aa

Download Submit
\Windows\SysWOW64\wmpdv2.exe

Filesize
154KB

MD5
d392ac090591df46727a9fa8b8988e14

SHA1
16e07eae431abd76dc7e4fd1a5ffb1a16701e3a5

SHA256
f5d16e0ce939d7a58fe58500015320c962abca9f188e4d48503a67db858adb67

SHA512
92da8420045b92ca6edff8f93db947ec43f09911f6b05ebe6cbd7d087e2e6dac527e8a29fd9d2c00bf57c0ae52bf2afa4e13054b6a430bdaa739428e1e9f9c67

Download Submit
memory/556-127-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/556-104-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/556-105-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/556-106-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/572-965-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/572-1003-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/576-696-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/576-714-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/604-419-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/604-412-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/764-1281-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/764-1299-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/792-1254-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/792-1236-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1080-169-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1080-166-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1228-561-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1228-589-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1244-513-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1244-519-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1296-1371-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1296-1376-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1300-259-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1300-265-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1336-157-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1336-178-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1368-1107-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1368-1101-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1512-1434-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1512-1416-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1540-750-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1540-741-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1604-1506-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1604-1528-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1756-1011-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1756-1016-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1808-1871-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1808-1866-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1860-28-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1860-15-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1860-36-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1860-29-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1860-30-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1860-31-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1860-20-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1948-1055-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1948-1074-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1968-1466-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1968-1461-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-1326-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-1344-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2152-208-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2152-237-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2196-921-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2196-924-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2208-1646-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2208-1641-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2240-310-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2240-319-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2248-463-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2248-484-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2256-1723-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2256-1686-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2296-606-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2296-643-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2376-849-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2376-831-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2460-1551-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2460-1560-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2472-1916-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2472-1911-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2480-804-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2480-786-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2560-1821-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2560-1858-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2608-1191-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2608-1208-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-40-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-60-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-32-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-34-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-35-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-44-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-46-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-47-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2648-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2664-101-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2672-1776-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2672-1782-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2716-369-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2716-361-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2736-148-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2736-152-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2736-153-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2792-651-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2792-682-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2804-1146-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2804-1149-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2828-1956-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2892-1734-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2892-1731-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-876-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-904-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2996-1596-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2996-1619-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download