Malware Analysis Report

2024-10-18 21:34

Sample ID 240623-leq95sxejg
Target 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118
SHA256 cb135da1bc06b5cf792c921e0b2cbf39d016eca0e718d1ac3a502c90ee3a9776
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb135da1bc06b5cf792c921e0b2cbf39d016eca0e718d1ac3a502c90ee3a9776

Threat Level: Known bad

The file 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Deletes itself

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 09:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 09:27

Reported

2024-06-23 09:29

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 664 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 664 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 664 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 664 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2040 wrote to memory of 2484 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2040 wrote to memory of 2484 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2040 wrote to memory of 2484 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2040 wrote to memory of 2484 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2484 wrote to memory of 2848 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2484 wrote to memory of 2848 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2484 wrote to memory of 2848 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2484 wrote to memory of 2848 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2848 wrote to memory of 2316 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2848 wrote to memory of 2316 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2848 wrote to memory of 2316 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2848 wrote to memory of 2316 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2316 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2316 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2316 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2316 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1944 wrote to memory of 1380 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1944 wrote to memory of 1380 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1944 wrote to memory of 1380 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1944 wrote to memory of 1380 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1380 wrote to memory of 2276 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1380 wrote to memory of 2276 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1380 wrote to memory of 2276 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1380 wrote to memory of 2276 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2276 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2276 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2276 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2276 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1792 wrote to memory of 2216 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1792 wrote to memory of 2216 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1792 wrote to memory of 2216 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1792 wrote to memory of 2216 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2216 wrote to memory of 1592 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2216 wrote to memory of 1592 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2216 wrote to memory of 1592 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2216 wrote to memory of 1592 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1592 wrote to memory of 2436 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1592 wrote to memory of 2436 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1592 wrote to memory of 2436 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1592 wrote to memory of 2436 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2436 wrote to memory of 2104 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2436 wrote to memory of 2104 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2436 wrote to memory of 2104 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2436 wrote to memory of 2104 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2104 wrote to memory of 2972 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2104 wrote to memory of 2972 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2104 wrote to memory of 2972 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2104 wrote to memory of 2972 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Users\Admin\AppData\Local\Temp\05E35C~1.EXE

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

Network

N/A

Files

memory/664-0-0x0000000000400000-0x0000000000488000-memory.dmp

memory/664-2-0x0000000000475000-0x0000000000487000-memory.dmp

memory/664-1-0x0000000000400000-0x0000000000488000-memory.dmp

memory/664-3-0x0000000000400000-0x0000000000488000-memory.dmp

memory/664-4-0x0000000000400000-0x0000000000488000-memory.dmp

\Windows\SysWOW64\wmpxr1.exe

MD5 05e35cde9615f997867818cb6ae5b38f
SHA1 38726431f39e47c168ff014b7c04e0a00ebf2b85
SHA256 cb135da1bc06b5cf792c921e0b2cbf39d016eca0e718d1ac3a502c90ee3a9776
SHA512 6f3ae7b9a49a96a80cd49314f2dfa5c2c98a0ba678fc35952c1516ab3b0e12f6199fb55051fdcc8ef8bc04b4ba546499ce5e409487251ee495a57a6d12abea87

memory/664-10-0x0000000003260000-0x00000000032E8000-memory.dmp

memory/664-18-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2040-19-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2040-20-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2040-27-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2484-25-0x0000000000400000-0x0000000000488000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2848-33-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2484-34-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2316-40-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2848-38-0x0000000003990000-0x0000000003A18000-memory.dmp

memory/2848-42-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2316-48-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1704-53-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1944-56-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1944-60-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1380-62-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1380-68-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2276-74-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1792-75-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1792-80-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2216-88-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1592-87-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1592-91-0x00000000033A0000-0x0000000003428000-memory.dmp

memory/1592-95-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2436-102-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2104-103-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2104-108-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2804-115-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2972-116-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2804-122-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2796-129-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2816-128-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2796-134-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1552-137-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1472-138-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1552-140-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1920-142-0x0000000000400000-0x0000000000488000-memory.dmp

memory/888-145-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1920-144-0x0000000000400000-0x0000000000488000-memory.dmp

memory/888-147-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2872-149-0x00000000030A0000-0x0000000003128000-memory.dmp

memory/2872-152-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1000-151-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1000-153-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2120-157-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1000-156-0x0000000003460000-0x00000000034E8000-memory.dmp

memory/1000-155-0x0000000003460000-0x00000000034E8000-memory.dmp

memory/2120-160-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1640-161-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1640-163-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2416-165-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2612-168-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2416-167-0x0000000003220000-0x00000000032A8000-memory.dmp

memory/2416-169-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2612-171-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1396-173-0x0000000000400000-0x0000000000488000-memory.dmp

memory/676-177-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1396-176-0x0000000000400000-0x0000000000488000-memory.dmp

memory/676-179-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2788-182-0x0000000000400000-0x0000000000488000-memory.dmp

memory/472-183-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2276-186-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2788-187-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2276-189-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2352-190-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2352-191-0x00000000031F0000-0x0000000003278000-memory.dmp

memory/2352-200-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1708-203-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2580-204-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2580-206-0x0000000003220000-0x00000000032A8000-memory.dmp

memory/2580-209-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2700-207-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3008-211-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2700-213-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1808-215-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3008-217-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1808-218-0x00000000034F0000-0x0000000003578000-memory.dmp

memory/2836-222-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1808-221-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2836-225-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2388-229-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1244-228-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2388-231-0x0000000000400000-0x0000000000488000-memory.dmp

memory/852-235-0x0000000003290000-0x0000000003318000-memory.dmp

memory/852-236-0x0000000000400000-0x0000000000488000-memory.dmp

memory/856-238-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1812-241-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1948-243-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2300-246-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1812-247-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2888-251-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2300-250-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2888-254-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1700-255-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1700-258-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2960-259-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2960-261-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2812-263-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2812-266-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1584-268-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2608-270-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2608-272-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2356-276-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2796-279-0x0000000000400000-0x0000000000488000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 09:27

Reported

2024-06-23 09:29

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wmpxr1.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\wmpxr1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\wmpxr1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File opened for modification C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A
File created C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\wmpxr1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A
N/A N/A C:\Windows\SysWOW64\wmpxr1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2016 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2016 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3308 wrote to memory of 4036 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3308 wrote to memory of 4036 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3308 wrote to memory of 4036 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4036 wrote to memory of 1576 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4036 wrote to memory of 1576 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4036 wrote to memory of 1576 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1576 wrote to memory of 680 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1576 wrote to memory of 680 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1576 wrote to memory of 680 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 680 wrote to memory of 3780 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 680 wrote to memory of 3780 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 680 wrote to memory of 3780 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3780 wrote to memory of 2304 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3780 wrote to memory of 2304 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3780 wrote to memory of 2304 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2304 wrote to memory of 2136 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2304 wrote to memory of 2136 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2304 wrote to memory of 2136 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2136 wrote to memory of 3880 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2136 wrote to memory of 3880 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2136 wrote to memory of 3880 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3880 wrote to memory of 4900 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3880 wrote to memory of 4900 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3880 wrote to memory of 4900 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 5108 wrote to memory of 1604 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 5108 wrote to memory of 1604 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 5108 wrote to memory of 1604 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1604 wrote to memory of 4960 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1604 wrote to memory of 4960 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1604 wrote to memory of 4960 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4960 wrote to memory of 744 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4960 wrote to memory of 744 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4960 wrote to memory of 744 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 744 wrote to memory of 2444 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 744 wrote to memory of 2444 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 744 wrote to memory of 2444 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2444 wrote to memory of 436 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2444 wrote to memory of 436 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2444 wrote to memory of 436 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 436 wrote to memory of 3652 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 436 wrote to memory of 3652 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 436 wrote to memory of 3652 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3652 wrote to memory of 4660 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3652 wrote to memory of 4660 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 3652 wrote to memory of 4660 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4660 wrote to memory of 1884 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4660 wrote to memory of 1884 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4660 wrote to memory of 1884 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2384 wrote to memory of 544 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2384 wrote to memory of 544 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 2384 wrote to memory of 544 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 544 wrote to memory of 4584 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 544 wrote to memory of 4584 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 544 wrote to memory of 4584 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4584 wrote to memory of 1644 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4584 wrote to memory of 1644 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 4584 wrote to memory of 1644 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe
PID 1644 wrote to memory of 232 N/A C:\Windows\SysWOW64\wmpxr1.exe C:\Windows\SysWOW64\wmpxr1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe"

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Users\Admin\AppData\Local\Temp\05E35C~1.EXE

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

C:\Windows\SysWOW64\wmpxr1.exe

"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2016-0-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2016-2-0x0000000000475000-0x0000000000487000-memory.dmp

memory/2016-1-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2016-3-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2016-4-0x0000000000400000-0x0000000000488000-memory.dmp

C:\Windows\SysWOW64\wmpxr1.exe

MD5 05e35cde9615f997867818cb6ae5b38f
SHA1 38726431f39e47c168ff014b7c04e0a00ebf2b85
SHA256 cb135da1bc06b5cf792c921e0b2cbf39d016eca0e718d1ac3a502c90ee3a9776
SHA512 6f3ae7b9a49a96a80cd49314f2dfa5c2c98a0ba678fc35952c1516ab3b0e12f6199fb55051fdcc8ef8bc04b4ba546499ce5e409487251ee495a57a6d12abea87

memory/2016-40-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3308-42-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3308-41-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3308-43-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3308-44-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3308-46-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4036-49-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4036-48-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4036-50-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4036-51-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4036-53-0x0000000000400000-0x0000000000488000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1576-57-0x0000000000400000-0x0000000000488000-memory.dmp

memory/680-61-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3780-65-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2304-64-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2136-69-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2304-70-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2136-72-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3880-76-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4900-78-0x0000000000400000-0x0000000000488000-memory.dmp

memory/5108-81-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1604-84-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4960-88-0x0000000000400000-0x0000000000488000-memory.dmp

memory/744-90-0x0000000000400000-0x0000000000488000-memory.dmp

memory/744-93-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2444-94-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2444-96-0x0000000000400000-0x0000000000488000-memory.dmp

memory/436-99-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3652-103-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4660-105-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2384-110-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1884-111-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2384-114-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4584-117-0x0000000000400000-0x0000000000488000-memory.dmp

memory/544-118-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1644-121-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4584-122-0x0000000000400000-0x0000000000488000-memory.dmp

memory/232-126-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1644-127-0x0000000000400000-0x0000000000488000-memory.dmp

memory/232-131-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4464-130-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4464-133-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3404-135-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3404-139-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2116-140-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2116-144-0x0000000000400000-0x0000000000488000-memory.dmp

memory/884-143-0x0000000000400000-0x0000000000488000-memory.dmp

memory/884-146-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1396-150-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1968-151-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1396-154-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2348-156-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1036-159-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2880-163-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4956-165-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3960-169-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2880-170-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3960-174-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1000-177-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4020-179-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1000-183-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4960-185-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2176-187-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1624-189-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4960-191-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1624-194-0x0000000000400000-0x0000000000488000-memory.dmp

memory/116-197-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3824-198-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4888-201-0x0000000000400000-0x0000000000488000-memory.dmp

memory/116-202-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4888-205-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3896-206-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4300-209-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3896-210-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4300-213-0x0000000000400000-0x0000000000488000-memory.dmp

memory/400-216-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1888-217-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4956-219-0x0000000000400000-0x0000000000488000-memory.dmp

memory/400-221-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2400-224-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4956-225-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2400-228-0x0000000000400000-0x0000000000488000-memory.dmp

memory/2284-231-0x0000000000400000-0x0000000000488000-memory.dmp