Malware Analysis Report

2024-10-18 21:34

Sample ID 240623-egvl1ssgkn
Target 0521e318661e12962ec8241369f2168e_JaffaCakes118
SHA256 a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647
Tags
metasploit backdoor trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647

Threat Level: Known bad

The file 0521e318661e12962ec8241369f2168e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan upx

MetaSploit

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Deletes itself

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 03:55

Reported

2024-06-23 03:57

Platform

win7-20240508-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2128 set thread context of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 2248 set thread context of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 set thread context of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 set thread context of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 set thread context of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 set thread context of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 600 set thread context of 960 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2916 set thread context of 844 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 944 set thread context of 1256 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1724 set thread context of 1200 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2112 set thread context of 1640 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2776 set thread context of 2200 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2572 set thread context of 2528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1316 set thread context of 1672 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1948 set thread context of 1328 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 632 set thread context of 2736 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 596 set thread context of 580 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1708 set thread context of 2056 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 1692 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2248 wrote to memory of 2072 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2072 wrote to memory of 2872 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2072 wrote to memory of 2872 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2072 wrote to memory of 2872 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2072 wrote to memory of 2872 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2872 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2996 wrote to memory of 2420 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2996 wrote to memory of 2420 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2996 wrote to memory of 2420 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2996 wrote to memory of 2420 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2420 wrote to memory of 1100 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1100 wrote to memory of 1064 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1100 wrote to memory of 1064 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1100 wrote to memory of 1064 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1100 wrote to memory of 1064 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1064 wrote to memory of 1876 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1876 wrote to memory of 2736 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1876 wrote to memory of 2736 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1876 wrote to memory of 2736 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1876 wrote to memory of 2736 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2736 wrote to memory of 548 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 548 wrote to memory of 600 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 548 wrote to memory of 600 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

Network

N/A

Files

memory/1692-3-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-8-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-9-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-7-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-6-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-2-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-4-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-0-0x0000000000400000-0x0000000000456000-memory.dmp

\Windows\SysWOW64\wmpdlp32.exe

MD5 0521e318661e12962ec8241369f2168e
SHA1 0029f82f3d33d7f34eaa248eb3fd4d45bff5ef8f
SHA256 a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647
SHA512 41093c8320126682846b75bec3c2673c740a5eed0471407e258feb63dbc58a103c2ffc290857079907b13b3d9edfa367b60566aac48676bb7f8fb9fc63643fa3

memory/2072-33-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1692-36-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2996-55-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2072-54-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1100-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2996-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1876-89-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1100-90-0x0000000000400000-0x0000000000456000-memory.dmp

memory/548-107-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1876-110-0x0000000000400000-0x0000000000456000-memory.dmp

memory/960-126-0x0000000000400000-0x0000000000456000-memory.dmp

memory/548-129-0x0000000000400000-0x0000000000456000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/844-146-0x0000000000400000-0x0000000000456000-memory.dmp

memory/960-149-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1256-165-0x0000000000400000-0x0000000000456000-memory.dmp

memory/844-168-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1200-184-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1256-187-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1640-200-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1200-203-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2200-213-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1640-216-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2528-226-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2200-229-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1672-239-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2528-242-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1328-252-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1672-255-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2736-265-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1328-268-0x0000000000400000-0x0000000000456000-memory.dmp

memory/580-278-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2736-281-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2056-291-0x0000000000400000-0x0000000000456000-memory.dmp

memory/580-294-0x0000000000400000-0x0000000000456000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 03:55

Reported

2024-06-23 03:57

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpdlp32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpdlp32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
File created C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpdlp32.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3260 set thread context of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 4592 set thread context of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 set thread context of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 set thread context of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 set thread context of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 set thread context of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 set thread context of 4728 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 384 set thread context of 3452 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3392 set thread context of 5108 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1920 set thread context of 4808 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 set thread context of 3784 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 5064 set thread context of 4824 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2284 set thread context of 3680 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2008 set thread context of 4340 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4308 set thread context of 1136 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4064 set thread context of 3620 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpdlp32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpdlp32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 3260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 3260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 3260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 3260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 3260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 3260 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe
PID 1408 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1408 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1408 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4592 wrote to memory of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4592 wrote to memory of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4592 wrote to memory of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4592 wrote to memory of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4592 wrote to memory of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4592 wrote to memory of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4592 wrote to memory of 4496 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4496 wrote to memory of 4980 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4496 wrote to memory of 4980 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4496 wrote to memory of 4980 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 wrote to memory of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 wrote to memory of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 wrote to memory of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 wrote to memory of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 wrote to memory of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 wrote to memory of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4980 wrote to memory of 2616 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2616 wrote to memory of 3608 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2616 wrote to memory of 3608 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 2616 wrote to memory of 3608 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 wrote to memory of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 wrote to memory of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 wrote to memory of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 wrote to memory of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 wrote to memory of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 wrote to memory of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3608 wrote to memory of 528 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 528 wrote to memory of 4348 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 528 wrote to memory of 4348 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 528 wrote to memory of 4348 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 wrote to memory of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 wrote to memory of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 wrote to memory of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 wrote to memory of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 wrote to memory of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 wrote to memory of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4348 wrote to memory of 3076 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3076 wrote to memory of 1016 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3076 wrote to memory of 1016 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 3076 wrote to memory of 1016 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1016 wrote to memory of 4272 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4272 wrote to memory of 1692 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4272 wrote to memory of 1692 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 4272 wrote to memory of 1692 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 wrote to memory of 4728 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 wrote to memory of 4728 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 wrote to memory of 4728 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe
PID 1692 wrote to memory of 4728 N/A C:\Windows\SysWOW64\wmpdlp32.exe C:\Windows\SysWOW64\wmpdlp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0521e318661e12962ec8241369f2168e_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Users\Admin\AppData\Local\Temp\0521E3~1.EXE

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

C:\Windows\SysWOW64\wmpdlp32.exe

"C:\Windows\system32\wmpdlp32.exe" C:\Windows\SysWOW64\wmpdlp32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1408-0-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1408-5-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1408-4-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1408-3-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Windows\SysWOW64\wmpdlp32.exe

MD5 0521e318661e12962ec8241369f2168e
SHA1 0029f82f3d33d7f34eaa248eb3fd4d45bff5ef8f
SHA256 a645525176dc50a4957defdc3bb8a7dce27a64c099dfe6b2aeb00a9309266647
SHA512 41093c8320126682846b75bec3c2673c740a5eed0471407e258feb63dbc58a103c2ffc290857079907b13b3d9edfa367b60566aac48676bb7f8fb9fc63643fa3

memory/4496-44-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1408-47-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2616-54-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4496-52-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4496-55-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2616-64-0x0000000000400000-0x0000000000456000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3076-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/528-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4272-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/3076-80-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4272-86-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4728-89-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4728-90-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4728-97-0x0000000000400000-0x0000000000456000-memory.dmp

memory/3452-107-0x0000000000400000-0x0000000000456000-memory.dmp

memory/5108-113-0x0000000000400000-0x0000000000456000-memory.dmp

memory/3784-120-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4808-121-0x0000000000400000-0x0000000000456000-memory.dmp

memory/3784-129-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4824-138-0x0000000000400000-0x0000000000456000-memory.dmp

memory/3680-147-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4340-155-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1136-163-0x0000000000400000-0x0000000000456000-memory.dmp