Malware Analysis Report

2024-10-18 21:34

Sample ID 240622-142vha1bkl
Target 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118
SHA256 5f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6
Tags
metasploit backdoor trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6

Threat Level: Known bad

The file 04148cc87304ef7a3ceebbad09c09084_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan upx

MetaSploit

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 22:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 22:13

Reported

2024-06-22 22:15

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmisvrdf.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 792 set thread context of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 1424 set thread context of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 set thread context of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 set thread context of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 set thread context of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 set thread context of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5052 set thread context of 2824 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4192 set thread context of 4176 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2912 set thread context of 4040 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3296 set thread context of 5004 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4984 set thread context of 2068 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4644 set thread context of 4612 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 116 set thread context of 756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2584 set thread context of 4220 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1224 set thread context of 1424 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3832 set thread context of 4592 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3648 set thread context of 1304 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4312 set thread context of 2888 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2456 set thread context of 1064 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4868 set thread context of 3192 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 712 set thread context of 3360 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4840 set thread context of 1240 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 464 set thread context of 2992 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4020 set thread context of 3996 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2560 set thread context of 424 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 836 set thread context of 3708 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3532 set thread context of 4408 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3096 set thread context of 2452 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2336 set thread context of 4448 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3136 set thread context of 3516 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4480 set thread context of 1532 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmisvrdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 792 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 792 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 792 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 792 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 792 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 792 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 2384 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2384 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2384 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1424 wrote to memory of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1424 wrote to memory of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1424 wrote to memory of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1424 wrote to memory of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1424 wrote to memory of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1424 wrote to memory of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1424 wrote to memory of 3488 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3488 wrote to memory of 4188 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3488 wrote to memory of 4188 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3488 wrote to memory of 4188 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 wrote to memory of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 wrote to memory of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 wrote to memory of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 wrote to memory of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 wrote to memory of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 wrote to memory of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 4188 wrote to memory of 3244 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3244 wrote to memory of 2972 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3244 wrote to memory of 2972 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3244 wrote to memory of 2972 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 wrote to memory of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 wrote to memory of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 wrote to memory of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 wrote to memory of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 wrote to memory of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 wrote to memory of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2972 wrote to memory of 396 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 396 wrote to memory of 2292 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 396 wrote to memory of 2292 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 396 wrote to memory of 2292 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 wrote to memory of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 wrote to memory of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 wrote to memory of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 wrote to memory of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 wrote to memory of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 wrote to memory of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2292 wrote to memory of 5060 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5060 wrote to memory of 2896 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5060 wrote to memory of 2896 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5060 wrote to memory of 2896 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 wrote to memory of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 wrote to memory of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 wrote to memory of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 wrote to memory of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 wrote to memory of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 wrote to memory of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2896 wrote to memory of 2340 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2340 wrote to memory of 5052 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2340 wrote to memory of 5052 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2340 wrote to memory of 5052 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 5052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

Network

Files

memory/2384-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2384-2-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2384-3-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2384-4-0x0000000000400000-0x0000000000469000-memory.dmp

C:\Windows\SysWOW64\wmisvrdf.exe

MD5 04148cc87304ef7a3ceebbad09c09084
SHA1 d8921c3e5480704c173b061ba48be3bba73883ce
SHA256 5f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6
SHA512 8884f7ba8e917644e4333c528d63443ceb513cb6d5939828db60d0c6bca5da263031fa0fce0e1b9e57543c50193b5277259d4302a3c2bb87dac18a047a8c419a

memory/2384-40-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3488-45-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3488-47-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3244-54-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3244-56-0x0000000000400000-0x0000000000469000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/396-64-0x0000000000400000-0x0000000000469000-memory.dmp

memory/5060-71-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2340-78-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2824-83-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2824-86-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4176-92-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4176-94-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4040-102-0x0000000000400000-0x0000000000469000-memory.dmp

memory/5004-108-0x0000000000400000-0x0000000000469000-memory.dmp

memory/5004-109-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2068-118-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4612-124-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4612-126-0x0000000000400000-0x0000000000469000-memory.dmp

memory/756-131-0x0000000000400000-0x0000000000469000-memory.dmp

memory/756-137-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4220-145-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1424-150-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1424-155-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4592-163-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1304-172-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2888-180-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1064-188-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3192-193-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3192-197-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3360-205-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1240-209-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1240-214-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2992-219-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2992-223-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3996-231-0x0000000000400000-0x0000000000469000-memory.dmp

memory/424-234-0x0000000000400000-0x0000000000469000-memory.dmp

memory/424-238-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3708-244-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4408-248-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4408-251-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2452-254-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2452-258-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4448-264-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3516-270-0x0000000000400000-0x0000000000469000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 22:13

Reported

2024-06-22 22:15

Platform

win7-20240419-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmisvrdf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File created C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A
File opened for modification C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1648 set thread context of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 2704 set thread context of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 set thread context of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 set thread context of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 set thread context of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 set thread context of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2364 set thread context of 756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1068 set thread context of 1568 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 868 set thread context of 2916 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1480 set thread context of 1292 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 944 set thread context of 2068 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 316 set thread context of 2128 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2680 set thread context of 2704 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1828 set thread context of 2484 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2552 set thread context of 2560 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2116 set thread context of 836 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2452 set thread context of 1732 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1020 set thread context of 1232 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2364 set thread context of 1772 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 584 set thread context of 816 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 340 set thread context of 804 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2908 set thread context of 1700 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2232 set thread context of 2404 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 988 set thread context of 2212 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2056 set thread context of 2648 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2876 set thread context of 2504 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2960 set thread context of 2352 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2476 set thread context of 2800 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2116 set thread context of 1624 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1916 set thread context of 2840 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1820 set thread context of 1832 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2228 set thread context of 760 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 676 set thread context of 1072 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1628 set thread context of 768 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wmisvrdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 1648 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 1648 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 1648 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 1648 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 1648 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 1648 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe
PID 2060 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2060 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2060 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2060 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2704 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2704 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2704 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2704 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2704 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2704 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2704 wrote to memory of 2756 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2756 wrote to memory of 2520 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2756 wrote to memory of 2520 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2756 wrote to memory of 2520 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2756 wrote to memory of 2520 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 wrote to memory of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 wrote to memory of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 wrote to memory of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 wrote to memory of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 wrote to memory of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 wrote to memory of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2520 wrote to memory of 3012 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3012 wrote to memory of 2800 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3012 wrote to memory of 2800 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3012 wrote to memory of 2800 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 3012 wrote to memory of 2800 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 wrote to memory of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 wrote to memory of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 wrote to memory of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 wrote to memory of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 wrote to memory of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 wrote to memory of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2800 wrote to memory of 2856 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2856 wrote to memory of 1364 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2856 wrote to memory of 1364 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2856 wrote to memory of 1364 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 2856 wrote to memory of 1364 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 wrote to memory of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 wrote to memory of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 wrote to memory of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 wrote to memory of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 wrote to memory of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 wrote to memory of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1364 wrote to memory of 1848 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1848 wrote to memory of 1348 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1848 wrote to memory of 1348 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1848 wrote to memory of 1348 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1848 wrote to memory of 1348 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 wrote to memory of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 wrote to memory of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 wrote to memory of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 wrote to memory of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 wrote to memory of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 wrote to memory of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1348 wrote to memory of 1036 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1036 wrote to memory of 2364 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe
PID 1036 wrote to memory of 2364 N/A C:\Windows\SysWOW64\wmisvrdf.exe C:\Windows\SysWOW64\wmisvrdf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04148cc87304ef7a3ceebbad09c09084_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Users\Admin\AppData\Local\Temp\04148C~1.EXE

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\system32\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

C:\Windows\SysWOW64\wmisvrdf.exe

"C:\Windows\SysWOW64\wmisvrdf.exe" C:\Windows\SysWOW64\wmisvrdf.exe

Network

N/A

Files

memory/2060-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2060-3-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2060-4-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2060-6-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2060-2-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2060-7-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2060-9-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2060-8-0x0000000000400000-0x0000000000469000-memory.dmp

\Windows\SysWOW64\wmisvrdf.exe

MD5 04148cc87304ef7a3ceebbad09c09084
SHA1 d8921c3e5480704c173b061ba48be3bba73883ce
SHA256 5f8cfcf6ac7e58a3d0ab6a6f6ad171bb210eb23ac97e5e4c872a2aad18a015e6
SHA512 8884f7ba8e917644e4333c528d63443ceb513cb6d5939828db60d0c6bca5da263031fa0fce0e1b9e57543c50193b5277259d4302a3c2bb87dac18a047a8c419a

memory/2060-22-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2756-35-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2756-34-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2756-33-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2756-32-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2756-41-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3012-52-0x0000000000400000-0x0000000000469000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3012-59-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2856-70-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2856-76-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1848-87-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1848-93-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1036-104-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1036-110-0x0000000000400000-0x0000000000469000-memory.dmp

memory/756-121-0x0000000000400000-0x0000000000469000-memory.dmp

memory/756-127-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1568-139-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1568-145-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2916-156-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2916-161-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1292-173-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1292-179-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2068-190-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2068-197-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2128-208-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2128-213-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2704-225-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2704-232-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2484-243-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2484-248-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2560-258-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2560-261-0x0000000000400000-0x0000000000469000-memory.dmp

memory/836-271-0x0000000000400000-0x0000000000469000-memory.dmp

memory/836-274-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1732-284-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1732-287-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1232-297-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1232-300-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1772-310-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1772-313-0x0000000000400000-0x0000000000469000-memory.dmp

memory/816-323-0x0000000000400000-0x0000000000469000-memory.dmp

memory/816-326-0x0000000000400000-0x0000000000469000-memory.dmp

memory/804-336-0x0000000000400000-0x0000000000469000-memory.dmp

memory/804-339-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1700-349-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1700-352-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2404-362-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2404-365-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2212-375-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2212-378-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2648-388-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2648-391-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2504-401-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2504-404-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2352-414-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2352-417-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2800-427-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2800-430-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1624-440-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1624-443-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2840-453-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2840-456-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1832-466-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1832-469-0x0000000000400000-0x0000000000469000-memory.dmp

memory/760-479-0x0000000000400000-0x0000000000469000-memory.dmp

memory/760-482-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1072-492-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1072-495-0x0000000000400000-0x0000000000469000-memory.dmp

memory/768-505-0x0000000000400000-0x0000000000469000-memory.dmp