Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 09:27
Static task
static1
Behavioral task
behavioral1
Sample
05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe
-
Size
194KB
-
MD5
05e35cde9615f997867818cb6ae5b38f
-
SHA1
38726431f39e47c168ff014b7c04e0a00ebf2b85
-
SHA256
cb135da1bc06b5cf792c921e0b2cbf39d016eca0e718d1ac3a502c90ee3a9776
-
SHA512
6f3ae7b9a49a96a80cd49314f2dfa5c2c98a0ba678fc35952c1516ab3b0e12f6199fb55051fdcc8ef8bc04b4ba546499ce5e409487251ee495a57a6d12abea87
-
SSDEEP
6144:Ifw998aN22pAouklidA0zHH6uQFWI4Q/WXc:aw9UKFlcAEH614ED
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 50 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exe05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wmpxr1.exe -
Deletes itself 1 IoCs
Processes:
wmpxr1.exepid process 3308 wmpxr1.exe -
Executes dropped EXE 50 IoCs
Processes:
wmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exepid process 3308 wmpxr1.exe 4036 wmpxr1.exe 1576 wmpxr1.exe 680 wmpxr1.exe 3780 wmpxr1.exe 2304 wmpxr1.exe 2136 wmpxr1.exe 3880 wmpxr1.exe 4900 wmpxr1.exe 5108 wmpxr1.exe 1604 wmpxr1.exe 4960 wmpxr1.exe 744 wmpxr1.exe 2444 wmpxr1.exe 436 wmpxr1.exe 3652 wmpxr1.exe 4660 wmpxr1.exe 1884 wmpxr1.exe 2384 wmpxr1.exe 544 wmpxr1.exe 4584 wmpxr1.exe 1644 wmpxr1.exe 232 wmpxr1.exe 4464 wmpxr1.exe 3404 wmpxr1.exe 2116 wmpxr1.exe 884 wmpxr1.exe 1968 wmpxr1.exe 1396 wmpxr1.exe 2348 wmpxr1.exe 1036 wmpxr1.exe 4956 wmpxr1.exe 2880 wmpxr1.exe 3960 wmpxr1.exe 4020 wmpxr1.exe 1000 wmpxr1.exe 2176 wmpxr1.exe 4960 wmpxr1.exe 1624 wmpxr1.exe 3824 wmpxr1.exe 116 wmpxr1.exe 4888 wmpxr1.exe 3896 wmpxr1.exe 4300 wmpxr1.exe 1888 wmpxr1.exe 400 wmpxr1.exe 4956 wmpxr1.exe 2400 wmpxr1.exe 2284 wmpxr1.exe 4172 wmpxr1.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
wmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exe05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpxr1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpxr1.exe -
Drops file in System32 directory 64 IoCs
Processes:
wmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exe05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exedescription ioc process File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File opened for modification C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe File created C:\Windows\SysWOW64\wmpxr1.exe wmpxr1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 50 IoCs
Processes:
05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exepid process 2016 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe 3308 wmpxr1.exe 4036 wmpxr1.exe 1576 wmpxr1.exe 680 wmpxr1.exe 3780 wmpxr1.exe 2304 wmpxr1.exe 2136 wmpxr1.exe 3880 wmpxr1.exe 5108 wmpxr1.exe 1604 wmpxr1.exe 4960 wmpxr1.exe 744 wmpxr1.exe 2444 wmpxr1.exe 436 wmpxr1.exe 3652 wmpxr1.exe 4660 wmpxr1.exe 1884 wmpxr1.exe 2384 wmpxr1.exe 544 wmpxr1.exe 4584 wmpxr1.exe 1644 wmpxr1.exe 232 wmpxr1.exe 4464 wmpxr1.exe 3404 wmpxr1.exe 2116 wmpxr1.exe 884 wmpxr1.exe 1968 wmpxr1.exe 1396 wmpxr1.exe 2348 wmpxr1.exe 1036 wmpxr1.exe 4956 wmpxr1.exe 2880 wmpxr1.exe 3960 wmpxr1.exe 4020 wmpxr1.exe 1000 wmpxr1.exe 2176 wmpxr1.exe 4960 wmpxr1.exe 1624 wmpxr1.exe 3824 wmpxr1.exe 116 wmpxr1.exe 4888 wmpxr1.exe 3896 wmpxr1.exe 4300 wmpxr1.exe 1888 wmpxr1.exe 400 wmpxr1.exe 4956 wmpxr1.exe 2400 wmpxr1.exe 2284 wmpxr1.exe 4172 wmpxr1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 50 IoCs
Processes:
wmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exe05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpxr1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exepid process 2016 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe 2016 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe 3308 wmpxr1.exe 3308 wmpxr1.exe 4036 wmpxr1.exe 4036 wmpxr1.exe 1576 wmpxr1.exe 1576 wmpxr1.exe 680 wmpxr1.exe 680 wmpxr1.exe 3780 wmpxr1.exe 3780 wmpxr1.exe 2304 wmpxr1.exe 2304 wmpxr1.exe 2136 wmpxr1.exe 2136 wmpxr1.exe 3880 wmpxr1.exe 3880 wmpxr1.exe 5108 wmpxr1.exe 5108 wmpxr1.exe 1604 wmpxr1.exe 1604 wmpxr1.exe 4960 wmpxr1.exe 4960 wmpxr1.exe 744 wmpxr1.exe 744 wmpxr1.exe 2444 wmpxr1.exe 2444 wmpxr1.exe 436 wmpxr1.exe 436 wmpxr1.exe 3652 wmpxr1.exe 3652 wmpxr1.exe 4660 wmpxr1.exe 4660 wmpxr1.exe 1884 wmpxr1.exe 1884 wmpxr1.exe 2384 wmpxr1.exe 2384 wmpxr1.exe 544 wmpxr1.exe 544 wmpxr1.exe 4584 wmpxr1.exe 4584 wmpxr1.exe 1644 wmpxr1.exe 1644 wmpxr1.exe 232 wmpxr1.exe 232 wmpxr1.exe 4464 wmpxr1.exe 4464 wmpxr1.exe 3404 wmpxr1.exe 3404 wmpxr1.exe 2116 wmpxr1.exe 2116 wmpxr1.exe 884 wmpxr1.exe 884 wmpxr1.exe 1968 wmpxr1.exe 1968 wmpxr1.exe 1396 wmpxr1.exe 1396 wmpxr1.exe 2348 wmpxr1.exe 2348 wmpxr1.exe 1036 wmpxr1.exe 1036 wmpxr1.exe 4956 wmpxr1.exe 4956 wmpxr1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exewmpxr1.exedescription pid process target process PID 2016 wrote to memory of 3308 2016 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe wmpxr1.exe PID 2016 wrote to memory of 3308 2016 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe wmpxr1.exe PID 2016 wrote to memory of 3308 2016 05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe wmpxr1.exe PID 3308 wrote to memory of 4036 3308 wmpxr1.exe wmpxr1.exe PID 3308 wrote to memory of 4036 3308 wmpxr1.exe wmpxr1.exe PID 3308 wrote to memory of 4036 3308 wmpxr1.exe wmpxr1.exe PID 4036 wrote to memory of 1576 4036 wmpxr1.exe wmpxr1.exe PID 4036 wrote to memory of 1576 4036 wmpxr1.exe wmpxr1.exe PID 4036 wrote to memory of 1576 4036 wmpxr1.exe wmpxr1.exe PID 1576 wrote to memory of 680 1576 wmpxr1.exe wmpxr1.exe PID 1576 wrote to memory of 680 1576 wmpxr1.exe wmpxr1.exe PID 1576 wrote to memory of 680 1576 wmpxr1.exe wmpxr1.exe PID 680 wrote to memory of 3780 680 wmpxr1.exe wmpxr1.exe PID 680 wrote to memory of 3780 680 wmpxr1.exe wmpxr1.exe PID 680 wrote to memory of 3780 680 wmpxr1.exe wmpxr1.exe PID 3780 wrote to memory of 2304 3780 wmpxr1.exe wmpxr1.exe PID 3780 wrote to memory of 2304 3780 wmpxr1.exe wmpxr1.exe PID 3780 wrote to memory of 2304 3780 wmpxr1.exe wmpxr1.exe PID 2304 wrote to memory of 2136 2304 wmpxr1.exe wmpxr1.exe PID 2304 wrote to memory of 2136 2304 wmpxr1.exe wmpxr1.exe PID 2304 wrote to memory of 2136 2304 wmpxr1.exe wmpxr1.exe PID 2136 wrote to memory of 3880 2136 wmpxr1.exe wmpxr1.exe PID 2136 wrote to memory of 3880 2136 wmpxr1.exe wmpxr1.exe PID 2136 wrote to memory of 3880 2136 wmpxr1.exe wmpxr1.exe PID 3880 wrote to memory of 4900 3880 wmpxr1.exe wmpxr1.exe PID 3880 wrote to memory of 4900 3880 wmpxr1.exe wmpxr1.exe PID 3880 wrote to memory of 4900 3880 wmpxr1.exe wmpxr1.exe PID 5108 wrote to memory of 1604 5108 wmpxr1.exe wmpxr1.exe PID 5108 wrote to memory of 1604 5108 wmpxr1.exe wmpxr1.exe PID 5108 wrote to memory of 1604 5108 wmpxr1.exe wmpxr1.exe PID 1604 wrote to memory of 4960 1604 wmpxr1.exe wmpxr1.exe PID 1604 wrote to memory of 4960 1604 wmpxr1.exe wmpxr1.exe PID 1604 wrote to memory of 4960 1604 wmpxr1.exe wmpxr1.exe PID 4960 wrote to memory of 744 4960 wmpxr1.exe wmpxr1.exe PID 4960 wrote to memory of 744 4960 wmpxr1.exe wmpxr1.exe PID 4960 wrote to memory of 744 4960 wmpxr1.exe wmpxr1.exe PID 744 wrote to memory of 2444 744 wmpxr1.exe wmpxr1.exe PID 744 wrote to memory of 2444 744 wmpxr1.exe wmpxr1.exe PID 744 wrote to memory of 2444 744 wmpxr1.exe wmpxr1.exe PID 2444 wrote to memory of 436 2444 wmpxr1.exe wmpxr1.exe PID 2444 wrote to memory of 436 2444 wmpxr1.exe wmpxr1.exe PID 2444 wrote to memory of 436 2444 wmpxr1.exe wmpxr1.exe PID 436 wrote to memory of 3652 436 wmpxr1.exe wmpxr1.exe PID 436 wrote to memory of 3652 436 wmpxr1.exe wmpxr1.exe PID 436 wrote to memory of 3652 436 wmpxr1.exe wmpxr1.exe PID 3652 wrote to memory of 4660 3652 wmpxr1.exe wmpxr1.exe PID 3652 wrote to memory of 4660 3652 wmpxr1.exe wmpxr1.exe PID 3652 wrote to memory of 4660 3652 wmpxr1.exe wmpxr1.exe PID 4660 wrote to memory of 1884 4660 wmpxr1.exe wmpxr1.exe PID 4660 wrote to memory of 1884 4660 wmpxr1.exe wmpxr1.exe PID 4660 wrote to memory of 1884 4660 wmpxr1.exe wmpxr1.exe PID 1884 wrote to memory of 2384 1884 wmpxr1.exe wmpxr1.exe PID 1884 wrote to memory of 2384 1884 wmpxr1.exe wmpxr1.exe PID 1884 wrote to memory of 2384 1884 wmpxr1.exe wmpxr1.exe PID 2384 wrote to memory of 544 2384 wmpxr1.exe wmpxr1.exe PID 2384 wrote to memory of 544 2384 wmpxr1.exe wmpxr1.exe PID 2384 wrote to memory of 544 2384 wmpxr1.exe wmpxr1.exe PID 544 wrote to memory of 4584 544 wmpxr1.exe wmpxr1.exe PID 544 wrote to memory of 4584 544 wmpxr1.exe wmpxr1.exe PID 544 wrote to memory of 4584 544 wmpxr1.exe wmpxr1.exe PID 4584 wrote to memory of 1644 4584 wmpxr1.exe wmpxr1.exe PID 4584 wrote to memory of 1644 4584 wmpxr1.exe wmpxr1.exe PID 4584 wrote to memory of 1644 4584 wmpxr1.exe wmpxr1.exe PID 1644 wrote to memory of 232 1644 wmpxr1.exe wmpxr1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05e35cde9615f997867818cb6ae5b38f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Users\Admin\AppData\Local\Temp\05E35C~1.EXE2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:232 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4464 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3404 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:884 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1396 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1036 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4960 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4888 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\wmpxr1.exe"C:\Windows\system32\wmpxr1.exe" C:\Windows\SysWOW64\wmpxr1.exe51⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD505e35cde9615f997867818cb6ae5b38f
SHA138726431f39e47c168ff014b7c04e0a00ebf2b85
SHA256cb135da1bc06b5cf792c921e0b2cbf39d016eca0e718d1ac3a502c90ee3a9776
SHA5126f3ae7b9a49a96a80cd49314f2dfa5c2c98a0ba678fc35952c1516ab3b0e12f6199fb55051fdcc8ef8bc04b4ba546499ce5e409487251ee495a57a6d12abea87
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e